Vulnerability Scanning Solutions, LLC.
Home
Our Process
Residential
Corporate
What We Scan For
Sample Report
Client List
Terms
Contact Us
What We Scan For
Family: CGI abuses --> Category: infos

Uebimiau Session Directory Disclosure Vulnerability Scan


Vulnerability Scan Summary
Searches for the existence of sessions directory of UebiMiau

Detailed Explanation for this Vulnerability Test

UebiMiau is a simple and cross-plataform POP3/IMAP mail
reader written in PHP.

Uebimiau in default installation create one temporary folder
to store 'sessions' and other files. This folder is defined
in 'inc/config.php' as './database/'.

If the web administrator don't change this folder, a possible hacker
can exploit this using the follow request:
http://server-target/database/_sessions/

Solutions:
1) Insert index.php in each directory of the Uebimiau

2) Set variable $temporary_directory to a directory
not public and with restricted access, set permission
as read only to 'web server user' for each files in
$temporary_directory.

3) Set open_basedir in httpd.conf to yours clients follow
the model below:


php_admin_value open_basedir
/server-target/public_html


Threat Level: Medium

Click HERE for more information and discussions on this network vulnerability scan.

VSS, LLC.

P.O. Box 827051

Pembroke Pines, FL 33082-7051

Vulnerability Scanning Solutions, LLC.