Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and credentials via unspecified vectors.
http://www.securityfocus.com/bid/67043
http://www.securityfocus.com/archive/1/531911/100/0/threaded