[NT] A-CART Database Exposure

• Previous message: support@securiteam.com: "[NEWS] Cisco VPN 3000 Concentrator Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: Thu,  5 Sep 2002 16:29:10 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  A-CART Database Exposure
------------------------------------------------------------------------

SUMMARY

 <http://www.alanward.net> A-CART is an ASP shopping cart application
written in VBScript. It is comprised of a number of ASP scripts and an
Access database.

A security vulnerability in the product allows remote attackers to
download the product's database, thus gain access to sensitive information
about users of the product (name, surname, address, e-mail, credit card
number, and user's login-password).

DETAILS

Problem:
Accessing the following URL will return the database used by the product:
http://acart.url/acart2_0/acart2_0.mdb

Solutions:
Once you have created the DSN, you need to tell A-CART its name. This can
be done by editing the line in db.asp, which says:
strConn = "acart2_0"

Change "acart2_0" to the name of the DSN you have created.

ADDITIONAL INFORMATION

The information has been provided by <mailto:tacettinkaradeniz@yahoo.com>
Tacettin Karadeniz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NEWS] Cisco VPN 3000 Concentrator Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: setting a password on a button on the switchboard ... Could you send me the sample database for the fourth option (4. ... > Security in an Access database can probably be broken down into two big ... > points about being easier than User Level Security, ... > What type of data are you trying to protect? ... (microsoft.public.access.forms) Re: access 2003 ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ... (microsoft.public.access.conversion) Re: access 2003 ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ... (microsoft.public.access.conversion) Re: Is this possible?? ... I understand Windows security but since I've not seen A2007 live, ... The backend is on the server in it's own file. ... database, but everyone does not need to have access to tblwage which is ... (microsoft.public.access.tablesdbdesign) Re: Is it safe to use social securty number as intranet username? (long) ... > they expect us to use our social security number as a username. ... by some database application ... ... The gateway router runs radius for authenticating ... ISPs perform internet connection authentication) ... (comp.security.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint