[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CACTUSHOP 6 Default Installation Allows Remote Database Disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CACTUSHOP 6 Default Installation Allows Remote Database Disclosure
From: DoZ@xxxxxxxxxxxxxxxxx
Date: 4 Jun 2007 00:30:24 -0000

Cactushop (V6) allows remote users to download the database which contains 
creditcard
numbers and critical information. The affected carts default installation gives 
away the path to database file. As a result, an attacker exploiting this 
vulnerability will be able to obtain detailed private customer information, 
including credit card numbers, order details, addresses, telephone numbers, etc.


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz


Remote: YES
Class: Improper Instalation configuration.



Vendor: WWW.CACTUSHOP.COM

Product:

CACTUSHOP v.6 ASP SHOPPING CART



Path Disclosure Exploits:

- http://target.com/path_to_cart/database/cactushop6.mdb


* Privous version v.5 is effected and older might also be effected.


- http://target.com/path_to_cart/database/cactushop5.mdb


* Attackers can exploit these issues via a web client.


Proff of Concept: http://i12.tinypic.com/5x8nxp5.jpg




Only becoming a hacker you can stop a hacker. Were can you learn with out 
having to pay thousands?- http://kit.hackerscenter.com/ - The most 
comprehensive security pack you will ever find on the net!

Prev by Date: BCS'07 Call For Papers
Next by Date: S21Sec-035: F5 FirePass command execution vulnerability
Previous by thread: BCS'07 Call For Papers
Next by thread: S21Sec-035: F5 FirePass command execution vulnerability
Index(es):
- Date
- Thread