|
Family: CGI abuses --> Category: infos
Uebimiau Session Directory Disclosure Vulnerability Scan
Vulnerability Scan Summary Searches for the existence of sessions directory of UebiMiau
Detailed Explanation for this Vulnerability Test
UebiMiau is a simple and cross-plataform POP3/IMAP mail
reader written in PHP.
Uebimiau in default installation create one temporary folder
to store 'sessions' and other files. This folder is defined
in 'inc/config.php' as './database/'.
If the web administrator don't change this folder, a possible hacker
can exploit this using the follow request:
http://server-target/database/_sessions/
Solutions:
1) Insert index.php in each directory of the Uebimiau
2) Set variable $temporary_directory to a directory
not public and with restricted access, set permission
as read only to 'web server user' for each files in
$temporary_directory.
3) Set open_basedir in httpd.conf to yours clients follow
the model below:
php_admin_value open_basedir
/server-target/public_html
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|