('binary' encoding is not supported, stored as-is) ZH2003-17SA (security advisory): geeeekShop Shopping Cart Path Disclosure Published: 9 august 2003 Released: 9 august 2003 Name: geeeekShop Shopping Cart System Affected Systems: 1.4.0 Issue: Remote attackers can know the path of the site Author: G00db0y@zone-h.org Vendor: http://www.geeeeksoft.com Description *********** Zone-h Security Team has discovered a flaw in geeeekShop Shopping Cart v1.4.0. "geeeekShop is a PHP / MySQL based shopping cart system that is easy enough for somebody who is new to the internet but powerful enough for the seasoned veteran." Details ******* It's possible to make a malformed http request for many files in geeeekShop Shopping Cart and in doing so trigger an error. The resulting error message will disclose potentially sensitive installation path information to the remote attacker. Example: http://www.site.com/shop/?category=xxxxxx&parent=0&page=x&/' If we do a simple http request for many files in geeeekShop Shopping Cart we will have the same problem. Example: http://www.site.com/shop/php_files/site.config.php Solution: ********* The vendor has been contacted and a patch is not yet produced. Suggestions: ************ Filter all files. G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2853/
This archive was generated by hypermail 2b30 : Sat Aug 09 2003 - 10:44:37 PDT