| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030716172514.15898.qmail@www.securityfocus.com> Date: 16 Jul 2003 17:25:14 -0000 From: G00db0y <G00db0y@...e-h.org> To: bugtraq@...urityfocus.com Subject: ZH2003-9SA (security advisory): .netCart information disclusure ZH2003-9SA (security advisory): .netCart information disclusure Published: 16/07/2003 Released: 16/07/2003 Name: .netCart Affected Systems: All versions (?) Issue: Remote attackers can obtain admin information (including passwords) Author: G00db0y@...e-h.org Description *********** Zone-h Security Team has discovered a serious security flaw in .netCart current version (and older versions?). ".netCART is a full featured ecommerce and shopping cart component designed for ASP.NET. This product provides a complete ecommerce solution for ASP.NET." Details ******* .netCART is designed for ASP.NET, so it works with xml files. It's possible to retrieve the source of one of this file with admin information. Then it's possible to login in such service like ups.com, usps.com, www.authorizenet.com with these informations and it's possible to see many more information from there. The file with this problem is here: http://www.example.com/Data/settings.xml Solution: ********* The vendor has been contacted and a patch is not yet produced Suggestions: ************ Protect this file. G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2708/
Powered by blists - more mailing lists