a.shopKart Default Installation Discloses Database to Remote Users
|
|
SecurityTracker Alert ID: 1009549
|
|
SecurityTracker URL: http://securitytracker.com/id?1009549
|
|
CVE Reference: CVE-2006-2823
(Links to External Site)
|
Updated: Jun 9 2006
|
Original Entry Date: Mar 24 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0
|
Description: CyberTalon reported a configuration vulnerability in a.shopKart in the default installation. A remote user can download the database, including user and credit card information.
It is reported that the default installation places the shopping cart database in the 'admin' directory in the web document directory.
A remote user can download the database with the following type of URL:
http://[target]/admin/scart.mdb
|
Impact: A remote user can download the shopping cart database to obtain user information, including credit card numbers.
|
Solution: The vendor's installation instructions note that the administrator should restrict access to the admin folder.
|
Vendor URL: www.urlogy.com/asp/ashopkart.asp (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Windows (Any)
|
Reported By: cyber_talon@hotmail.com
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 22 Mar 2004 17:15:10 -0500
From: Stuart Moore <smoore@securityglobal.net>
Subject: a.shopKart 2.0 lets remote users download the database
|
a.shopKart 2.0 lets remote users download the database
Found by: CyberTalon
1. Problem
2. Exploit
3. Info
1. a.shopKart 2.0 lets remote users download the database which contains creditcard
numbers and information, plus more.
2. www.site.com/admin/scart.mdb
3. Vendor URL: http://www.urlogy.com/asp/ashopkart.asp
-CT
|
|
