[30775] in bugtraq
ZH2003-9SA (security advisory): .netCart information disclusure
daemon@ATHENA.MIT.EDU (G00db0y)
Wed Jul 16 19:01:12 2003
Date: 16 Jul 2003 17:25:14 -0000
Message-ID: <20030716172514.15898.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: G00db0y <G00db0y@zone-h.org>
To: bugtraq@securityfocus.com
ZH2003-9SA (security advisory): .netCart information disclusure
Published: 16/07/2003
Released: 16/07/2003
Name: .netCart
Affected Systems: All versions (?)
Issue: Remote attackers can obtain admin information (including passwords)
Author: G00db0y@zone-h.org
Description
***********
Zone-h Security Team has discovered a serious security flaw in
.netCart current version (and older versions?). ".netCART is a full
featured ecommerce and shopping cart component designed for ASP.NET.
This product provides a complete ecommerce solution for ASP.NET."
Details
*******
.netCART is designed for ASP.NET, so it works with xml files. It's
possible to retrieve the source of one of this file with admin
information. Then it's possible to login in such service like
ups.com, usps.com, www.authorizenet.com with these informations and
it's possible to see many more information from there.
The file with this problem is here:
http://www.example.com/Data/settings.xml
Solution:
*********
The vendor has been contacted and a patch is not yet produced
Suggestions:
************
Protect this file.
G00db0y - www.zone-h.org admin
Original advisory here: http://www.zone-h.org/en/advisories/read/id=2708/
