ZH2003-9SA (security advisory): .netCart information disclusure



Published: 16/07/2003



Released: 16/07/2003



Name: .netCart



Affected Systems: All versions (?) 



Issue: Remote attackers can obtain admin information (including passwords)



Author: G00db0y@zone-h.org



Description



***********



Zone-h Security Team has discovered a serious security flaw in 

.netCart current version (and older versions?). ".netCART is a full 

featured ecommerce and shopping cart component designed for ASP.NET.  

This product provides a complete ecommerce solution for ASP.NET."







Details



*******



.netCART is designed for ASP.NET, so it works with xml files. It's 

possible to retrieve the source of one of this file with admin

information. Then it's possible to login in such service like

ups.com, usps.com, www.authorizenet.com with these informations and

it's possible to see many more information from there.



The file with this problem is here:



http://www.example.com/Data/settings.xml





Solution:



*********



The vendor has been contacted and a patch is not yet produced





Suggestions:



************



Protect this file.





G00db0y - www.zone-h.org admin



Original advisory here: http://www.zone-h.org/en/advisories/read/id=2708/