Salescart vuln.

From: ComCity (mikeb@comcity.com)
Date: 06/27/02

• Previous message: Markus Friedl: "Revised OpenSSH Security Advisory (adv.iss)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "ComCity" <mikeb@comcity.com>
To: <bugtraq@securityfocus.com>
Date: Wed, 26 Jun 2002 17:53:42 -0700

This security issue is caused when Salescart is improperly deployed using
Microsoft FrontPage and Microsoft IIS and the Microsoft Internet Information
Web
Server (IIS4.0/IIS5.0) is incorrectly administered/configured for the Web
site where SalesCart is running. Specifically, the /fpdb virtual directory
permissions should NOT have READ permissions enabled. The setting is
completely configurable by the SalesCart Merchant using FrontPage by opening
the Web site and right clicking the /fpdb folder, selecting properties and
unchecking "Allow Files to be Browsed". Since this is an issue with
administering the IIS web server and the FrontPage Web site rather than
SalesCart, this can only be corrected by the SalesCart Merchant or the
Internet Service Provider. See this knowledge base article from the vendor
for more information.
http://support.salescart.com/kb/KB-details.asp?key=5077

============================================================
Per....

To: BugTraq
Subject: Salescart vuln.
Date: Jun 21 2002 8:44PM
Author: Tacettin Karadeniz <tacettinkaradeniz@yahoo.com>
Message-ID: <20020621204424.40064.qmail@web21304.mail.yahoo.com>

Summary:
In a business website which is made by Salescart, all
customer records
related to that website are reachable. All database
can be hide to
shop.mdb file, in fpdb directory. Any user can be
reach this database whithous permission.
 There are some special informations this database and
they are; name, surname, adress,
e-mail, phone number, credit card number, company name
...
 The credit card numbers in shop.mdb file is placed in
query part.

Problem:
Accessing any of the following URL will return the
database used by the product:
http://xxxshop.com/fpdb/shop.mdb

/* Salescart ve Metacart kullanILan bir alI$veri$

---

• Previous message: Markus Friedl: "Revised OpenSSH Security Advisory (adv.iss)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Frontpage 2003 Updating date to Access database ... Database Command on Insert Menu Unavailable ... >> Microsoft MVP - FrontPage ... >> Spider Web Woman Designs ... (microsoft.public.frontpage.programming) Re: Table contents from a form ... You would need create a custom scripted solutions running off a database. ... Thomas A. Rowe (Microsoft MVP - FrontPage) ... and upgrade my server with an SQL database. ... (microsoft.public.frontpage.programming) Re: OFFICE SP3 Causing Problems in FP2002 ASPs on UPDATE ... posted in a non Microsoft news group. ... Then, close RegSeeker, Reboot and then reinstall FrontPage. ... > "Steve Easton" wrote in message ... >>> target a record started failing with Database Results Error, ... (microsoft.public.frontpage.client) RE: Database update and delete in ASP ... Microsoft applied service pack ... changes to FrontPage 2002 (and carried them over to FrontPage ... Saving Form Data in a Database ... (microsoft.public.frontpage.client) Re: Newbie: How does SP work? ... I just think that Microsoft should friggin fix that ... > Any application can "unghost" the page, it is just FrontPage is so heavily ... > connection to the files stored on the web server. ... but the data is stored in the content database. ... (microsoft.public.sharepoint.portalserver)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2002-06