ScriptsEz FREEze Greetings "pwd.txt" Information Disclosure
Report ID:
SA32744
Source:
Secunia
Date of Discovery:
18.11.2008
Criticality:
Moderate
Affects:
ScriptsEz FREEze Greetings
Compromise From:
From remote
Compromise Type:
Security bypass
Exposure of sensitive information
Summary
A security issue in ScriptsEz FREEze Greetings, which can be exploited by malicious people to disclose sensitive information.
Detailed Description
A security issue in ScriptsEz FREEze Greetings, which can be exploited by malicious people to disclose sensitive information.
The security issue is caused due to the application storing user credentials in the "pwd.txt" file. This can be exploited to disclose base64 encoded passwords by requesting the file directly.
Solution
Restrict access to the pwd.txt file (e.g. via .htaccess).