Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Comersus Shopping Cart Discloses the Commerce Database to Remote Users
|
|
SecurityTracker Alert ID: 1007065
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 26 2003
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Advisory: 1ndonesian Security Team
|
Version(s): 4.29
|
Description: 1ndonesian Security Team (1st) reported several flaws in the Comersus shopping cart software. A remote user can view the shopping cart database. A remote user can also conduct cross-site scripting attacks.
It is reported that the default configuration installs the shopping cart database in a web server directory that can be accessed
by remote users. A demonstration exploit URL is provided:
http://[target_site_with_shopping_cart_installed]/database/comersus.mdb
It
is also reported that the comersus_message.asp script does not filter user-supplied HTML when displaying error messages. A remote
user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by
the target user's browser. The code will originate from the site running the Comersus shopping cart software and will run in the
security context of that site. As a result, the code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
A demonstration exploit URL is provided:
http://[target_site_with_shopping_cart_installed]/comersus_message.asp?messa
ge=<script>alert('1st')</script>
The vendor has reportedly been notified without response.
|
Impact: A remote user can view the shopping cart database contents.
A remote user can access the target user's cookies (including authentication
cookies), if any, associated with the site running the Comersus software, access data recently submitted by the target user via
web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
The report indicates that, as a workaround to the database file disclosure flaw, you can use web server access controls to protect access to the shopping cart database file.
|
Vendor URL: www.comersus.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Bosen <mobile@bosen.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 Jun 2003 18:50:41 +0700
From: Bosen <mobile@bosen.net>
Subject: Comersus Shopping Cart Information Disclosure
|
1ndonesian Security Team (1st)
http://bosen.net/releases/
===========================================================================
Security Advisory
Advisory Name: Comersus Shopping Cart Information Disclosure
Release Date: 05/25/2003
Application: 4.29
Platform: Win32
Severity: High/Remote
BUG Type: Information Disclosure
Author: Bosen <mobile@bosen.net>
Discover by: Bosen <mobile@bosen.net>
Vendor Status: Notified, see response below.
Vendor URL: http://www.comersus.com/
Reference: http://bosen.net/releases/
Overview:
Comersus is a sophisticated e-commerce system resulting from research and
experience
accumulated through years of work in electronic commerce strategies.
The commercial implementation of the system was accomplished in the year 2000,
in the Open Source mode.
Details:
The commercial implementation of the system was accomplished in the year 2000,
in the Open Source mode.
In the distribution package, this shopping cart put the database information
in public place.
Exploits:
http://[target_site_with_sopping_cart_installed]/database/comersus.mdb
Vendor Response:
Contacted with no response
Recommendation:
Protect /database/ directory.
1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/
About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced application
security assessment. Based in Indonesia, 1ndonesian Security Team offers best of
breed security consulting services, specialising in application, host and network
security assessments.
1st provides security information and patches for use by the entire 1st community.
This information is provided freely to all interested parties and may be
redistributed provided that it is not altered in any way, 1st is appropriately
credited and the document retains.
Greetz to:
AresU, TioEuy, sakitjiwa, syzwz, muthafuka, negative and all 1ndonesian Security
Team
Bosen <mobile@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=33
-----
1ndonesian Security Team (1st)
http://bosen.net/releases/
========================================================================
Security Advisory
Advisory Name: Comersus XSS Vulnerability
Release Date: 06/21/2003
Application: 4.29
Platform: Win32
Severity: Medium
BUG Type: XSS
Author: Bosen <mobile@bosen.net>
Discover by: Bosen <mobile@bosen.net>
Vendor Status: See below.
Vendor URL: http://www.comersus.com/
Reference: http://bosen.net/releases/
Overview:
Comersus is a sophisticated e-commerce system resulting from research and
experience
accumulated through years of work in electronic commerce strategies.
The commercial implementation of the system was accomplished in the year 2000,
in the Open Source mode.
Details:
The commercial implementation of the system was accomplished in the year 2000,
in the Open Source mode.
The bug lies on error msg handling in comersus_message.asp. Which is allow attacker
to inject XSS script.
Exploits:
http://[target_site_with_sopping_cart_installed]/comersus_message.asp?message=<script>alert('1s
t')</script>
Vendor Response:
Not Contacted. Not high risk.
Recommendation:
No recommendation for this.
1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/
About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced application
security assessment. Based in Indonesia, 1ndonesian Security Team offers best of
breed security consulting services, specialising in application, host and network
security assessments.
1st provides security information and patches for use by the entire 1st community.
This information is provided freely to all interested parties and may be
redistributed provided that it is not altered in any way, 1st is appropriately
credited and the document retains.
Bosen <mobile@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=39
-----------------------------------------------
This mail sent through http://webmail.bosen.net
|
|
Go to the Top of This SecurityTracker Archive Page
|
