Credit card details exposed within CyberOffice Shopping Cart ------------------------------------------------------------------------ SUMMARY Delphis Consulting Internet Security Team (DCIST) discovered a vulnerability in CyberOffice Shopping Cart v2 under Windows NT. The default installation allows attackers to access the customer database without needing any special privileges. DETAILS Vulnerable systems: CyberOffice Shopping Cart v2 A vulnerability in the default installations (according to vendor instructions) of CyberOffice enables remote attackers to gain access to the database that holds information on customer orders, details and credit card information. This data is held in an unprotected and un-encrypted Microsoft Access Database. Example: Simply go to the URL: http://www.example.com/_private/shopping_cart.mdb By default, the _private directory is world readable and accessible by any anonymous web users. The vendor does however state in the documentation that the /_private/ directory should not be browseable (but if the file name is known it can still be downloaded). Workaround: Within IIS (Internet Information Server) manager set the directory permissions to write but NOT read. This will enable users to update the database as required by the application but not be able to download it. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
