('binary' encoding is not supported, stored as-is) There is some holes in the CGI e-commerce service : COWS (CGI Online Worldweb Shopping). /diagnose.cgi and /compatible.cgi give some informations about the computer and all the files in the website directory. They can be used too for cross site scripting : /diagnose.cgi?<script>MALICIOUS SCRIPT</script> or /compatible.cgi?<script>MALICIOUS SCRIPT</script>. In the "cownsconf" directory, the file config.asc contains the crypted admin password (wich can be maybe used with cookies), the website location in HD, the "orders" directory, the "custdata" directory,... In the custdata directory are a few *.asc files. They contain user's informations : email, name, address, phone and password. The user's login is the file name. In the orders directory, the purchases of the members : Username, Date, Card Type, Card Expires, Card Valid, price,... To know what was bought, look the "item.1" value into /*cowsconfdir*/catalog.asc . Some details about all this (in french) here : http://www.bal-team.t2u.com/Tuts/Cows.txt . COWS has been warned. frog-m@n
This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 10:40:27 PST