Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Recruitment Software allows MySQL credentials disclosure
From: Rafael San Miguel Carrasco <smcsoc () yahoo es>
Date: Sat, 31 Dec 2005 12:14:59 +0100

PRODUCT DESCRIPTION
Recruitment Software (http://www.recruitment-agency-software.com/) is a free full featured web-based recruitment agency software product. An easy to use back-end administration gives you full control over your recruitment job listings. It has been checked that several institutions are relying on this software for their recruitment processes. 

VULNERABILITY DESCRIPTION
Default installations allows anyone to read MySQL database credentials. The following URL shows an XML file with such information: 
http://<server>/<root-dir>/admin/site.xml

WORKAROUND
Protect this resource with HTTP-based authentication

Rafael San Miguel Carrasco
Security Consultant
www.rafaelsanmiguel.com

  By Date           By Thread  

Current thread:
  • Recruitment Software allows MySQL credentials disclosure Rafael San Miguel Carrasco (Jan 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]