[转载]MyCart Discloses Configuration File to Remote Users
信息来源:securitytracker.comSecurity .Net Information Advisore
[email]snilabs@gmail.com[/email]
General:
MyCart Discloses settings information to Remote Users
Problem Description:
MyCart Discloses settings information to Remote Users in the file settings.ini
This file contains in plain text (O_O):
Information about company
Web Address and email addrress
Info of path Mycart
Database info included Hostname Username Password and more
Credit Card info
... plus more.
ej:
Company Name:=:$gCompany:=:XXXX (for Privacity)
Address Line 1:=:$gAddress1:=:XXXX (for Privacity)
Web Address:=:$gWeb:=:XXXX (for Privacity)k
Email Address:=:$gEmail:=:XXXX (for Privacity)
WebSite Hostname:=:$gWebSiteHost:=:XXXX (for Privacity)
Relative Cart Root:=:$gRelCartRoot:=:XXXX (for Privacity)
Absolute Cart Root:=:$gAbsCartRoot:=:XXXX (for Privacity)
Relative Cart Pictures:=:$gRelCartPics:=:XXXX (for Privacity)
Absolute Cart Pictures:=:$gAbsCartPics:=:XXXX (for Privacity)
Database Hostname:=:$gDBHost:=:XXXX (for Privacity)
Database Username:=:$gDBUser:=:XXXX (for Privacity)
Database Password:=:$gDBPass:=:XXXX (for Privacity)
Database Name:=:$gDBName:=:XXXX (for Privacity)
Proof Of Concept:
the file settings.ini can downloaded from remote users:
[url]http://target.com/cart/settings.ini[/url]
[url]http://target.com/path_to_cart/settings.ini[/url]
the info is in plain text (lol)
Sumary:
Discovered: 30 / 21 / 2004
Vendor Contacted: yes but not response
Public: 01 / 01 / 2005
Greetz: mm nothing greetz only for : Santa Cruz - Argentina :P , sorry
foor my poor english
页:
[1]