[NEWS] ClickCartPro Security Vulnerability (Misconfiguration)

From: support@securiteam.com
Date: 07/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 22 Jul 2002 22:15:52 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ClickCartPro Security Vulnerability (Misconfiguration)
------------------------------------------------------------------------

SUMMARY

 <http://www.clickcartpro.com/> ClickCartPro is a complete e-commerce
solution. Manage a store with products for sale. Features include
categories, specials, shipping flexibility, admin statistics, order
tracking, discounts, a mail list program, file upload utilities, a banner
ad rotation program, multiple product options, and relationships, more. A
security vulnerability has been found in several configurations under the
Windows operating system due to a misconfiguration issue.

DETAILS

Vulnerable systems:
 * ClickCartPro version 4.0

Example:
Accessing the following URL will allow access to the user's database:
http://site/data/site/admin_user.db
http://site/cp/data/site/admin_user.db
http://site/data/cp/site/admin_user.db

The admin_user file contains the username and password of the webmaster
and administrator of the site.

Vendor response:
From the README:
Protecting the files in the data directory is of the highest importance.
Owners who will be running this package on Apache web server with
htaccess file protection enabled can place this directory in the same
location as the web accessible portion of their site. .htaccess files are
provided with the directory to ensure browsing via the web will not be
allowed. For those owners with Windows servers or for those not running
Apache web server, it is highly recommended that the data directory be
stored in a non-web accessible portion of your account.

ADDITIONAL INFORMATION

The information has been provided by <mailto:du1tku@yahoo.com> Leo
Siagian and <mailto:ec@kryptronic.com> Electronic Commerce Department -
Kryptronic, Inc..

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages