[原文]ASPRunner 2.4 stores the database under the web root in the db directory, which may allow remote attackers to obtain the database via a direct request to the database filename, which is predictable based on table and field names.
ASPRunner is reported prone to multiple vulnerabilities. The reported issues include SQL injection, cross-site scripting, information disclosure and unauthorized access to database files.
ASPRunner versions 2.4 and prior are affect by these issues.
ASPRunner Database Direct Request Information Disclosure
Remote / Network Access
Loss of Confidentiality
ASPRunner contains a flaw that may lead to an unauthorized information disclosure. With knowledge of the database file name a remote attacker could send a specially crafted URL request for this file to download the database, which will disclose sensitive information resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.