Re: [Vulnerability] : ProductCart database file can be downloaded remotely

["morning_wood" <se_cur_ity () hotmail com>]

vuln to XSS too..

http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/manageCategories.asp

----- Original Message ----- 
From: "gyrniff" <b240503 () gyrniff dk>
To: <full-disclosure () lists netsys com>
Sent: Saturday, July 05, 2003 10:37 AM
Subject: Re: [Full-disclosure] [Vulnerability] : ProductCart database
file can be downloaded remotely


> URL:
http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239
> Change the name Paul to Paul'
>
> Microsoft OLE DB Provider for ODBC Drivers
>  error '80040e14'
> [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in
> query expression ''Paul'',lastName='Smith',customerCompany='Early
Impact',
> address='3226 Colorado Ave', city='Santa Monica', zip='90004',
> stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE
idCustomer=115'.
> /productcart/build_to_order/productcart/pcadmin/processOrder.asp,
line 36
> have a nice weekend ;-)
>
> On Saturday 05 July 2003 22:07, Tri Huynh wrote:
> > ProductCart database file can be downloaded remotely
> > =================================================
> >
> > PROGRAM: ProductCart
> > HOMEPAGE: http://www.earlyimpact.com/productcart/
> > VULNERABLE VERSIONS: 1.0 to 2.0
> > RISK: High
> >
> >
> > DESCRIPTION
> > =================================================
> >
> > ProductCart® is an ASP shopping cart that combines sophisticated
> > ecommerce features with time-saving store management tools and
remarkable
> > ease of use. It is widely used by many e-commerce sites.
> >
> > DETAILS
> > =================================================
> >
> > In the default installation, product cart database file is located
at
> > /productcart/database/EIPC.mdb which can be accessed easily
> > by any remote attackers.
> >
> > Sample: http://victimhost/productcart/database/EIPC.mdb
> >
> > The database file includes the store administration password as
well as
> > customer's info (including credit card info).
> >
> >
> >  WORKAROUND
> > =================================================
> >
> > Rename the database file, put it in a protected directory.
> >
> >
> > CREDITS
> > =================================================
> >
> > Discovered by Tri Huynh from Sentry Union
> >
> >
> > DISLAIMER
> > =================================================
> >
> > The information within this paper may change without notice. Use
of
> > this information constitutes acceptance for use in an AS IS
condition.
> > There are NO warranties with regard to this information. In no
event
> > shall the author be liable for any damages whatsoever arising out
of
> > or in connection with the use or spread of this information. Any
use
> > of this information is at the user's own risk.
> >
> >
> > FEEDBACK
> > =================================================
> >
> > Please send suggestions, updates, and comments to:
trihuynh () zeeup com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html