Mavili Guestbook, as released in November 2007, stores guestbook.mdb under the web root with insufficient access control, which allows remote attackers to read the database via a direct request.