Description

Macromedia Dreamweaver has created a directory (_mmServerScripts or _mmDBScripts) that contains scripts for testing database connectivity. One of these scripts (mmhttpdb.php or mmhttpdb.asp) can be accessed without user ID or password and contains numerous operations, such as listing Datasource Names or executing arbitrary SQL queries.

Remediation

Remove these directories from production systems.

References

NGSSoftware advisory

Related Vulnerabilities

WordPress Plugin Relevanssi-A Better Search SQL Injection (3.2)

WordPress Plugin ProPlayer 'pp_playlist_id' Parameter SQL Injection (4.7.7)

WordPress Plugin W3 Total Cache Multiple Vulnerabilities (0.9.4.1)

WordPress Plugin Store Locator Plus for WordPress SQL Injection (3.8.6)

WordPress Plugin Post Form-Registration Form-Profile Form for User Profiles and Content Forms for User Submissions SQL Injection (2.2.7)

Severity

High

Classification

CVE-2004-1893 CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

SQL Injection Information Disclosure