[41927] in bugtraq
Recruitment Software allows MySQL credentials disclosure
daemon@ATHENA.MIT.EDU (Rafael San Miguel Carrasco)
Tue Jan 3 18:23:11 2006
Message-ID: <43B66833.6020200@yahoo.es>
Date: Sat, 31 Dec 2005 12:14:59 +0100
From: Rafael San Miguel Carrasco <smcsoc@yahoo.es>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
PRODUCT DESCRIPTION
Recruitment Software (http://www.recruitment-agency-software.com/) is a
free full featured web-based recruitment agency software product. An
easy to use back-end administration gives you full control over your
recruitment job listings.
It has been checked that several institutions are relying on this
software for their recruitment processes.
VULNERABILITY DESCRIPTION
Default installations allows anyone to read MySQL database credentials.
The following URL shows an XML file with such information:
http://<server>/<root-dir>/admin/site.xml
WORKAROUND
Protect this resource with HTTP-based authentication
Rafael San Miguel Carrasco
Security Consultant
www.rafaelsanmiguel.com
