CVE-2005-3049

An attacker sends a direct HTTP GET request to the tracking log file located at `/data/tracking[DATE]`, where `[DATE]` is the current date in `dmY` format (e.g., `22092005`). No authentication is required because the file resides under the web root without access restrictions. The server returns the raw log contents, which may include user-agent strings, IP addresses, and other sensitive tracking information [ref_id=1].

The advisory identifies the file path `/data/tracking[DATE]` as the vulnerable resource. No specific source file or function is named; the issue is that the `data/` directory is placed under the web document root and the tracking log filename follows a predictable daily pattern (e.g., `22092005`) [ref_id=1].

The advisory does not provide a patch or specific remediation steps. To close this vulnerability, the application should move the `data/` directory outside the web document root or add access-control checks (e.g., `.htaccess` deny rules or a PHP wrapper that validates authentication before serving log files). Additionally, filenames should be randomized or include a non-predictable token to prevent enumeration [ref_id=1].

1. Determine the current date and format it as `dmY` (e.g., 22 September 2005 becomes `22092005`). 2. Send a GET request to `http://[target]/[path]/phpmyfaq/data/tracking22092005`. 3. The server returns the raw tracking log contents, disclosing user-agent strings, IP addresses, and other tracking data [ref_id=1].