[40047] in bugtraq
RE: uguestbook exploit
daemon@ATHENA.MIT.EDU (Earnhart, Benjamin J)
Mon Aug 1 15:46:40 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 28 Jul 2005 13:39:30 -0500
Message-ID: <4F5CA8D7D1561B45A128D35DB86BA8F80299987F@IOWAEVS03.iowa.uiowa.edu>
From: "Earnhart, Benjamin J" <benjamin-earnhart@uiowa.edu>
To: <l--s@hotmail.com>, <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
That's not a product-specific exploit or a flaw in the product.
If somebody mis-configures their installation of it by putting the
database file in a directory accessible via the web, then getting the
database file is trivial for any package. The very first step in the
documentation for uguestbook says not to do that, see:
http://www.uapplication.com/uguestbook/doc.asp
> -----Original Message-----
> From: l--s@hotmail.com [mailto:l--s@hotmail.com]
> Sent: Thursday, July 28, 2005 10:31 AM
> To: bugtraq@securityfocus.com
> Subject: uguestbook exploit
>
> hello ,
>
> By ...... MeSa7eB
>
> Data ...... 28/7/2005
>
> pro ...... http://www.uapplication.com/
>
> My web site : http://3asfh.net/vb
>
> My Email : l--s@hotmail.com
>
> ===============================================
>
> exploit :
>
> http://xxx.com/guestbook/mdb-database/guestbook.mdb
>
> ==================================
>
