Security Advisory: Log File Path Predictability in dasBlog Community Edition

dasBlog stores log files in known subdirectories of the blog site, e.g. http://www.site.com/logs/2005-01-20.events.log or http://www.site.com/logs/2005-01-20.events.zip

With a default installation (as provided by the installation instructions) these files can be downloaded anonymously and can leak information about your site.

Workaround
remove read ACLs for IUSR_MACHINENAME or remove anoymous and integrated authentication from the sub directory in IIS.

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s