There's serious flaw in the security of the phpcontacts
(v0.7.1 and maybe higher!) module: you can directly link
to the CSV-file of all contacts without logging in!
I accidently searched google with "cgk-bol.nl" (my
domain) and found out that one of the first links in
Google linked to the downloadable phpwscontacts CSV
file! (URL: http://www.phpwebsitemanual.com/index.php?
) It also happened while visiting other phpws-sites.
I tested my own site myself (v0.9.3-1) and I got
(luckily!) an error. Maybe because I used
phpwscontacts v0.7.1 in combination with the
pagemasterhack or other modules.
Log in to post a comment.