Date: Sat, 31 Dec 2005 12:14:59 +0100
From: Rafael San Miguel Carrasco <smcsoc@yahoo.es.>
To: [email protected]Subject: Recruitment Software allows MySQL credentials disclosure
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
PRODUCT DESCRIPTION
Recruitment Software (http://www.recruitment-agency-software.com/) is a
free full featured web-based recruitment agency software product. An
easy to use back-end administration gives you full control over your
recruitment job listings.
It has been checked that several institutions are relying on this
software for their recruitment processes.
VULNERABILITY DESCRIPTION
Default installations allows anyone to read MySQL database credentials.
The following URL shows an XML file with such information:
http://<server>/<root-dir>/admin/site.xml
WORKAROUND
Protect this resource with HTTP-based authentication
Rafael San Miguel Carrasco
Security Consultant
www.rafaelsanmiguel.com
