Bugs item #940306, was opened at 2004-04-22 22:28
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=570207&aid=940306&group_id=83662
Category: Interface
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Paul (lostboyscout)
Assigned to: Nobody/Anonymous (nobody)
Summary: Vulnerability detected!
Initial Comment:
There's serious flaw in the security of the phpcontacts
(v0.7.1 and maybe higher!) module: you can directly link
to the CSV-file of all contacts without logging in!
I accidently searched google with "cgk-bol.nl" (my
domain) and found out that one of the first links in
Google linked to the downloadable phpwscontacts CSV
file! (URL: http://www.phpwebsitemanual.com/index.php?
module=phpwscontacts&CONTACTS_MAN_OP=exportcsv
) It also happened while visiting other phpws-sites.
I tested my own site myself (v0.9.3-1) and I got
(luckily!) an error. Maybe because I used
phpwscontacts v0.7.1 in combination with the
pagemasterhack or other modules.
Paul
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=570207&aid=940306&group_id=83662
|
