Vulnerability Assessment & Network Security Forums



If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important.  If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.


Home >> Browse Vulnerability Assessment Database >> CGI abuses >> LifeType profile Parameter Information Disclosure Vulnerability


Vulnerability Assessment Details

LifeType profile Parameter Information Disclosure Vulnerability

Vulnerability Assessment Summary
Tries to read the configuration file for LifeType

Detailed Explanation for this Vulnerability Assessment

Summary :

The remote web server contains a PHP script that is prone to an
information disclosure vulnerability.

Description :

The remote host is running LifeType, an open-source blogging platform
written in PHP.

The version of LifeType installed on the remote fails to sanitize
input to the 'profile' parameter of the 'rss.php' script of directory
traversal sequences. An unauthenticated remote attacker can be able
to leverage this flaw to read files on the affected host and disclose
sensitive information, such as configuration parameters used by the
application.

See also :

http://www.nessus.org/u?bc5c2a48

Solution :

Upgrade to Lifetype 1.1.6 / 1.2-beta2 or later.

Network Security Threat Level:

Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:P/I:N/A:N/B:N)

Networks Security ID: 22572

Vulnerability Assessment Copyright: This script is Copyright (C) 2007 Tenable Network Security

Cables, Connectors

NEW Genuine Dell 7FT KVM Analog VGA PS/2 Keyboard Mouse Server Cable Kit J5471
$9.99
NEW Genuine Dell 7FT KVM Analog VGA PS/2 Keyboard Mouse Server Cable Kit J5471 picture1969 EAI TR-20 Analog Computer Operations/Programming PACE Electronic Associates
$32.0
1969 EAI TR-20 Analog Computer Operations/Programming PACE Electronic Associates pictureAnalog Computing - September 1988 issue
$3.0
Analog Computing - September 1988 issue pictureAnalog Computing - May 1988 issue
$3.0
Analog Computing - May 1988 issue picture


Discussions

No Discussions have been posted on this vulnerability.