COMMAND

	Midicart remote database download

SYSTEMS AFFECTED

	Midicart ?

PROBLEM

	Dimitri Sekhniashvili [contrabanda@wanex.ge] says :
	

	MIDICART is an ASP and PHP  based  shopping  Cart  application  with  MS
	Access and SQL database. A security vulnerability in the product  allows
	remote attackers to download the product's database,  thus  gain  access
	to sensitive information about users  of  the  product  (name,  surname,
	address, e-mail, phone number, credit card number,  and  company  name).
	Example: Accessing the following URL will return the  database  used  by
	the product:
	

	http://someshope.com/shoppingdirectory/midicart.mdb

	

SOLUTION

	?