[转载]MyCart Discloses Configuration File to Remote Users

信息来源：securitytracker.com

Security .Net Information Advisore
snilabs@gmail.com

General:

MyCart Discloses settings information to Remote Users

Problem Description:

MyCart Discloses settings information to Remote Users in the file settings.ini
This file contains in plain text (O_O):

Information about company
Web Address and email addrress
Info of path Mycart
Database info included Hostname Username Password and more
Credit Card info
... plus more.

ej:

Company Name:=:$gCompany:=:XXXX (for Privacity)
Address Line 1:=:$gAddress1:=:XXXX (for Privacity)
Web Address:=:$gWeb:=:XXXX (for Privacity)k
Email Address:=:$gEmail:=:XXXX (for Privacity)
WebSite Hostname:=:$gWebSiteHost:=:XXXX (for Privacity)
Relative Cart Root:=:$gRelCartRoot:=:XXXX (for Privacity)
Absolute Cart Root:=:$gAbsCartRoot:=:XXXX (for Privacity)
Relative Cart Pictures:=:$gRelCartPics:=:XXXX (for Privacity)
Absolute Cart Pictures:=:$gAbsCartPics:=:XXXX (for Privacity)
Database Hostname:=:$gDBHost:=:XXXX (for Privacity)
Database Username:=:$gDBUser:=:XXXX (for Privacity)
Database Password:=:$gDBPass:=:XXXX (for Privacity)
Database Name:=:$gDBName:=:XXXX (for Privacity)

Proof Of Concept:

the file settings.ini can downloaded from remote users:

http://target.com/cart/settings.ini
http://target.com/path_to_cart/settings.ini

the info is in plain text (lol)

Sumary:

Discovered: 30 / 21 / 2004
Vendor Contacted: yes but not response
Public: 01 / 01 / 2005

Greetz: mm nothing greetz only for : Santa Cruz - Argentina :P , sorry
foor my poor english