[NT] MetaCart eCommerce Systems Database Exposure

From: support@securiteam.com
Date: 06/18/02

• Previous message: support@securiteam.com: "[EXPL] TrACESroute GOLD Local Format String Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 18 Jun 2002 08:22:24 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  MetaCart eCommerce Systems Database Exposure
------------------------------------------------------------------------

SUMMARY

 <http://metalinks.com/metacart.htm> MetaCart2.sql is an ASP based
shopping Cart application with SQL database. A security vulnerability in
the product allows attackers to access the database used for storing user
provided data (Credit cart numbers, Names, Surnames, Addresses, E-mails,
etc).

DETAILS

Exploit:
Accessing any of the following URL will return the database used by the
product:
http://xxxshop/database/metacart.mdb
http://xxxshop/metacart/database/metacart.mdb

ADDITIONAL INFORMATION

The information has been provided by <mailto:tacettinkaradeniz@yahoo.com>
Tacettin Karadeniz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

---

• Previous message: support@securiteam.com: "[EXPL] TrACESroute GOLD Local Format String Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: setting a password on a button on the switchboard ... Could you send me the sample database for the fourth option (4. ... > Security in an Access database can probably be broken down into two big ... > points about being easier than User Level Security, ... > What type of data are you trying to protect? ... (microsoft.public.access.forms) Re: access 2003 ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ... (microsoft.public.access.conversion) Re: access 2003 ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ... (microsoft.public.access.conversion) Re: Is this possible?? ... I understand Windows security but since I've not seen A2007 live, ... The backend is on the server in it's own file. ... database, but everyone does not need to have access to tblwage which is ... (microsoft.public.access.tablesdbdesign) Re: Is it safe to use social securty number as intranet username? (long) ... > they expect us to use our social security number as a username. ... by some database application ... ... The gateway router runs radius for authenticating ... ISPs perform internet connection authentication) ... (comp.security.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Securiteam  > 2002-06