[原文]Note-A-Day Weblog 2.2 stores sensitive data under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to archive/.phpass-admin, which contains encrypted passwords.
Note-A-Day Weblog /archive Directory Direct Request User Credential Disclosure
Remote / Network Access
Loss of Confidentiality
Note-A-Day contains a flaw that may lead to an unauthorized information disclosure. The issue is present because the 'archive/.phpass-admin' file containing encrypted user credentials (including the administrator's credentials) is located within the web path and can be accessed directly, resulting in a loss of confidentiality.
Upgrade to version 3.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: In the Apache configuration or .htaccess file, use access controls.
<Files ~ "^\.phpass-">
Deny from all