| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7e0f5ca37673fc76f9e46823ae4da4f6@zataz.net> From: exploits at zataz.net (ZATAZ) Subject: Credit Card data disclosure in CitrusDB Hello, As I can see this is not the only adviso for CitrusDB. http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -002.txt http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -003.txt http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -004.txt http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -005.txt Also new adviso for awstats 6.2 : http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -006.txt JPEG EXIF information disclosure : http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -008.txt This adviso are not official ? Regards. Le 12 f?vr. 05, ? 23:31, Maximillian Dornseif a ?crit : > Credit Card data disclosure in CitrusDB > > A group of students at our lab called RedTeam found an information > disclosure vulnerability in CitrusDB which can result in disclosure of > credit card information. > > Details > ======= > > Product: CitrusDB > Affected Version: <= 0.3.5 > Immune Version: >=0.3.6 > OS affected: all > Security-Risk: very high > Remote-Exploit: yes > Vendor-URL: http://www.citrusdb.org/ > Vendor-Status: informed, new version released > Advisory-URL: > http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-001 > CVE: CAN-2005-0229 > > Introduction > ============ > > Description from vendor: > "CitrusDB is an open source customer database application that uses PHP > and a database backend (currently MySQL) to keep track of customer > information, services, products, billing, and customer service > information." > > CitrusDB uses a textfile to temporarily store credit card information. > This textfile is located in the web tree via a static URL and thus > accessible to third parties. It also isn't deleted after processing > resulting in a big window of opportunity for an attacker. > > More Details > ============ > > The URL to the textfile "<path to CitrusDB>/io/newfile.txt" is stated > in the files "tools/uploadcc.php" and "tools/importcc.php". The <path > to CitrusDB> is always known while surfing. Therefor also "newfile.txt" > containing the credit card data can be easily found and accessed. This > leads to disclosure of the confidential data stored in that file. > > Proof of Concept > ================ > > Add "/citrusdb/io/newfile.txt" to the URL of a site running CitrusDB > default installation. > > Workaround > ========== > > Either deny access to the file using access restriction features of > your webserver or change CitrusDB to use a file outside document root > and not accessible via http. > > Fix > === > > Update to CitrusDB version 0.3.6 or higher and set the $path_to_ccfile > in the configuration to a path not accessible via http > > Security Risk > ============= > > The software is still beta, so it probably isn't widely used. To sites > running CitrusDB, the risk is very high because credit card data is > concerned. Disclosure of credit card data can lead to serious liability > issues for the site. > > Vendor Status > ============= > > 2005-01-28 Email sent to author > 2005-01-28 Answer from author received, new version released > > RedTeam > ======= > > RedTeam is a penetration testing group working at the Laboratory for > Dependable Distributed Systems at RWTH-Aachen University. You can find > more Information on the RedTeam Project at > http://tsyklon.informatik.rwth-aachen.de/redteam/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > Cordialement ----------------------------------------------------- Eric Romang / ZATAZ / ZATAZ Internet Co-fondateur de ZATAZ President Association ZATAZ Internet eromang@...az.net http://www.zataz.com GSM : +352 091 600 404 B.P. 311 59474 Seclin Cedex France -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 3863 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050213/8148817b/attachment.bin
Powered by blists - more mailing lists