This security issue is caused when Salescart is improperly deployed using Microsoft FrontPage and Microsoft IIS and the Microsoft Internet Information Web Server (IIS4.0/IIS5.0) is incorrectly administered/configured for the Web site where SalesCart is running. Specifically, the /fpdb virtual directory permissions should NOT have READ permissions enabled. The setting is completely configurable by the SalesCart Merchant using FrontPage by opening the Web site and right clicking the /fpdb folder, selecting properties and unchecking "Allow Files to be Browsed". Since this is an issue with administering the IIS web server and the FrontPage Web site rather than SalesCart, this can only be corrected by the SalesCart Merchant or the Internet Service Provider. See this knowledge base article from the vendor for more information. http://support.salescart.com/kb/KB-details.asp?key=5077 ============================================================ Per.... To: BugTraq Subject: Salescart vuln. Date: Jun 21 2002 8:44PM Author: Tacettin Karadeniz <tacettinkaradenizat_private> Message-ID: <20020621204424.40064.qmailat_private> Summary: In a business website which is made by Salescart, all customer records related to that website are reachable. All database can be hide to shop.mdb file, in fpdb directory. Any user can be reach this database whithous permission. There are some special informations this database and they are; name, surname, adress, e-mail, phone number, credit card number, company name ... The credit card numbers in shop.mdb file is placed in query part. Problem: Accessing any of the following URL will return the database used by the product: http://xxxshop.com/fpdb/shop.mdb /* Salescart ve Metacart kullanILan bir alI$veri$
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 10:27:52 PDT