[原文]HTMLJunction EZGuestbook stores the guestbook.mdb file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the administrative password.
HTMLJunction EZGuestbook guestbook.mdb Remote Information Disclosure
Remote / Network Access
Loss of Confidentiality
EZGuestbook contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the product stores its database within the web root, where it can be downloaded with a simple browser request. This will disclose all guestbook information, including the administrator's username and cleartext password, resulting in a loss of confidentiality.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Apply web server access controls to the datastores directory, or relocate guestbook.mdb outside of the web root and modify config.asp to point to the new location by changing the line that reads:
strDBPath = "/ezguestbook/datastores/guestbook.mdb"