Re: Credit Card data disclosure in CitrusDB

[ZATAZ <exploits () zataz net>]

Hello,

As I can see this is not the only adviso for CitrusDB.

http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-002.txt
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-003.txt
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-004.txt
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-005.txt

Also new adviso for awstats 6.2 :

http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-006.txt

JPEG EXIF information disclosure  :

http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-008.txt

This adviso are not official ?

Regards.

Le 12 févr. 05, à 23:31, Maximillian Dornseif a écrit :

> Credit Card data disclosure in CitrusDB
>
> A group of students at our lab called  RedTeam found an information
> disclosure vulnerability in CitrusDB which can result in disclosure of
> credit card information.
>
> Details
> =======
>
> Product: CitrusDB
> Affected Version: <= 0.3.5
> Immune Version: >=0.3.6
> OS affected: all
> Security-Risk: very high
> Remote-Exploit: yes
> Vendor-URL: http://www.citrusdb.org/
> Vendor-Status: informed, new version released
> Advisory-URL:
> http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-001
> CVE: CAN-2005-0229
>
> Introduction
> ============
>
> Description from vendor:
> "CitrusDB is an open source customer database application that uses PHP
> and a database backend (currently MySQL) to keep track of customer
> information, services, products, billing, and customer service
> information."
>
> CitrusDB uses a textfile to temporarily store credit card information.
> This textfile is located in the web tree via a static URL and thus
> accessible to third parties. It also isn't deleted after processing
> resulting in a big window of opportunity for an attacker.
>
> More Details
> ============
>
> The URL to the textfile "<path to CitrusDB>/io/newfile.txt" is stated
> in the files "tools/uploadcc.php" and "tools/importcc.php". The <path
> to CitrusDB> is always known while surfing. Therefor also "newfile.txt"
> containing the credit card data can be easily found and accessed. This
> leads to disclosure of the confidential data stored in that file.
>
> Proof of Concept
> ================
>
> Add "/citrusdb/io/newfile.txt" to the URL of a site running CitrusDB
> default installation.
>
> Workaround
> ==========
>
> Either deny access to the file using access restriction features of
> your webserver or change CitrusDB to use a file outside document root
> and not accessible via http.
>
> Fix
> ===
>
> Update to CitrusDB version 0.3.6 or higher and set the $path_to_ccfile
> in the configuration to a path not accessible via http
>
> Security Risk
> =============
>
> The software is still beta, so it probably isn't widely used. To sites
> running CitrusDB, the risk is very high because credit card data is
> concerned. Disclosure of credit card data can lead to serious liability
> issues for the site.
>
> Vendor Status
> =============
>
> 2005-01-28 Email sent to author
> 2005-01-28 Answer from author received, new version released
>
> RedTeam
> =======
>
> RedTeam is a penetration testing group working at the Laboratory for
> Dependable Distributed Systems at RWTH-Aachen University. You can find
> more Information on the RedTeam Project at
> http://tsyklon.informatik.rwth-aachen.de/redteam/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Cordialement

-----------------------------------------------------

Eric Romang / ZATAZ / ZATAZ Internet
Co-fondateur de ZATAZ
President Association ZATAZ Internet
eromang () zataz net
http://www.zataz.com
GSM : +352 091 600 404
B.P. 311 
59474 Seclin Cedex 
France
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html