製品・ソフトウェアに関する情報

JVN脆弱性詳細

DeluxeBB における管理アクセス権を取得される脆弱性

Title	DeluxeBB における管理アクセス権を取得される脆弱性
Summary	DeluxeBB は、不十分なアクセスコントロールの Web ルート配下に重要な情報をを格納するため、ユーザ情報、設定情報、ログデータ、および管理アクセス権を取得される脆弱性が存在します。
Possible impacts	第三者により、以下のフォルダ内のスクリプトへの直接リクエストを介して、ユーザ情報、設定情報、ログデータ、および管理アクセス権を取得される可能性があります。 (1) templates/ (2) templates/deluxe/admincp/ (3) templates/corporate/admincp/ (4) templates/blue/admincp/ (5) images/ (6) logs/ (7) logs/cp.php (8) wysiwyg/ (9) docs/ (10) classes/ (11) lang/ (12) settings/
Solution	参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 30, 2009, midnight
Registration Date	June 26, 2012, 4:18 p.m.
Last Update	June 26, 2012, 4:18 p.m.

Affected System

deluxebb

deluxebb 1.3

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-4465	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4465
National Vulnerability Database (NVD)
2	CVE-2009-4465	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4465

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

Change Log

No	Changed Details	Date of change
0	[2012年06月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-4465

Summary	DeluxeBB 1.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user and configuration information, log data, and gain administrative access via a direct request to scripts in (1) templates/ including (2) templates/deluxe/admincp/, (3) templates/corporate/admincp/, and (4) templates/blue/admincp/; (5) images/; (6) logs/ including (7) logs/cp.php; (8) wysiwyg/; (9) docs/; (10) classes/; (11) lang/; and (12) settings/.
Summary	DeluxeBB v1.3 almacena información sensible bajo la raíz de la web con controles de acceso insuficientes, lo que permite a atacantes remotos obtener información de usuarios y configuración, datos del log, y conseguir acceso con permisos de administrador a través de una petición directa a secuencias de comandos en (1) templates/ including (2) templates/deluxe/admincp/, (3) templates/corporate/admincp/, y (4) templates/blue/admincp/; (5) images/; (6) logs/ including (7) logs/cp.php; (8) wysiwyg/; (9) docs/; (10) classes/; (11) lang/; and (12) settings/.
Publication Date	Dec. 31, 2009, 5 a.m.
Registration Date	Jan. 29, 2021, 1:27 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:deluxebb:deluxebb:1.3:::::::*

Related information, measures and tools

No	URL	refsource
1	http://www.exploit-db.com/exploits/10598	cve@mitre.org
2	http://www.securityfocus.com/bid/37448	cve@mitre.org
3	https://exchange.xforce.ibmcloud.com/vulnerabilities/54975	cve@mitre.org
4	https://exchange.xforce.ibmcloud.com/vulnerabilities/54977	cve@mitre.org
5	https://exchange.xforce.ibmcloud.com/vulnerabilities/54978	cve@mitre.org
6	http://www.exploit-db.com/exploits/10598	af854a3a-2127-422b-91ae-364da2661108
7	http://www.securityfocus.com/bid/37448	af854a3a-2127-422b-91ae-364da2661108
8	https://exchange.xforce.ibmcloud.com/vulnerabilities/54975	af854a3a-2127-422b-91ae-364da2661108
9	https://exchange.xforce.ibmcloud.com/vulnerabilities/54977	af854a3a-2127-422b-91ae-364da2661108
10	https://exchange.xforce.ibmcloud.com/vulnerabilities/54978	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html