('binary' encoding is not supported, stored as-is) ZH2003-9SA (security advisory): .netCart information disclusure Published: 16/07/2003 Released: 16/07/2003 Name: .netCart Affected Systems: All versions (?) Issue: Remote attackers can obtain admin information (including passwords) Author: G00db0y@zone-h.org Description *********** Zone-h Security Team has discovered a serious security flaw in .netCart current version (and older versions?). ".netCART is a full featured ecommerce and shopping cart component designed for ASP.NET. This product provides a complete ecommerce solution for ASP.NET." Details ******* .netCART is designed for ASP.NET, so it works with xml files. It's possible to retrieve the source of one of this file with admin information. Then it's possible to login in such service like ups.com, usps.com, www.authorizenet.com with these informations and it's possible to see many more information from there. The file with this problem is here: http://www.example.com/Data/settings.xml Solution: ********* The vendor has been contacted and a patch is not yet produced Suggestions: ************ Protect this file. G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2708/
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 16:01:09 PDT