|
Family: CGI abuses --> Category: infos
PHP-Fusion Database Backup Disclosure Vulnerability Scan
Vulnerability Scan Summary Checks the version of the remote PHP-Fusion
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP application that is prone to
information disclosure.
Description :
A vulnerability exists in the remote version of PHP-Fusion that may
allow a possible hacker to obtain a dump of the remote database. PHP-Fusion
has the ability to create database backups and store them on the web
server, in the directory '/fusion_admin/db_backups/'. Since there is
no access control on that directory, a possible hacker may guess the name of
a backuped database and download it.
See also :
http://echo.or.id/adv/adv04-y3dips-2004.txt
Solution :
Use a .htaccess file or the equivalent to control access to files in
the backup directory.
Threat Level:
Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)
Click HERE for more information and discussions on this network vulnerability scan.
|