发布时间 :2005-05-02 00:00:00
修订时间 :2009-02-06 00:40:15

[原文]betaparticle blog (bp blog) stores the database under the web root, which allows remote attackers to obtain sensitive information via a direct request to (1) dbBlogMX.mdb for versions before 3.0, or (2) Blog.mdb for versions 3.0 and later. NOTE: it was later reported that vector 2 also affects versions 6.0 through 9.0.

[CNNVD]Betaparticle Blog多个远程漏洞(CNNVD-200505-639)

        betaparticle blog (bp blog)在web根目录下面存储数据库,远程攻击者可以通过直接请求(1) 3.0版本之前的dbBlogMX.mdb,或(2)3.0及之后版本的Blog.mdb,来获取敏感信息。注:之后报告,向量2也影响版本6.0至9.0。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  XF  betaparticle-web-root-information-disclosure(19779)
(UNKNOWN)  XF  bpblog-blog-info-disclosure(47419)
(UNKNOWN)  BID  12861

- 漏洞信息

Betaparticle Blog多个远程漏洞
中危 资料不足
2005-05-02 00:00:00 2009-02-06 00:00:00
        betaparticle blog (bp blog)在web根目录下面存储数据库,远程攻击者可以通过直接请求(1) 3.0版本之前的dbBlogMX.mdb,或(2)3.0及之后版本的Blog.mdb,来获取敏感信息。注:之后报告,向量2也影响版本6.0至9.0。

- 公告与补丁


- 漏洞信息

betaparticle dbBlogMX.mdb Direct Request Database Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality

- 漏洞描述

- 时间线

2005-03-20 Unknow
2005-03-20 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Betaparticle Blog Multiple Remote Vulnerabilities
Unknown 12861
Yes No
2005-03-21 12:00:00 2009-07-12 10:56:00
Discovery of these vulnerabilities is credited to farhad koosha <>.

- 受影响的程序版本

betaparticle betaparticle blog 3.0
betaparticle betaparticle blog 2.0
betaparticle betaparticle blog 4.0

- 不受影响的程序版本

betaparticle betaparticle blog 4.0

- 漏洞讨论

betaparticle blog is reported prone to multiple vulnerabilities. The following individual issues are reported:

It is reported that betaparticle blog fails to sufficiently secure the authentication credential database. A remote attacker may exploit this vulnerability to download and disclose the contents of the credential database.

This issue is reported to affect betaparticle blog prior to and including version 3.0.

It is reported that several betaparticle blog scripts may be accessed by a remote unauthenticated attacker and may be employed to upload and delete arbitrary Web server accessible files. A remote attacker may exploit leverage these scripts to deny service for legitimate users or potentially compromise a target computer.

It is reported that these scripts may be leveraged on betaparticle blog versions up to and including version 3.0.

- 漏洞利用

The following examples area available:

- 解决方案

It is reported that these issues are addressed in betaparticle blog version 4.0, this is not confirmed. Customers are advised to contact the vendor for further information regarding obtaining and applying appropriate updates.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考