ZH2003-17SA (security advisory): geeeekShop Shopping Cart Path Disclosure





Published: 9 august 2003



Released: 9 august 2003



Name: geeeekShop Shopping Cart System 



Affected Systems: 1.4.0



Issue: Remote attackers can know the path of the site



Author: G00db0y@zone-h.org



Vendor: http://www.geeeeksoft.com



Description



***********



Zone-h Security Team has discovered a flaw in geeeekShop Shopping Cart

v1.4.0. "geeeekShop is a PHP / MySQL based shopping cart system that is 

easy enough for somebody who is new to the internet but powerful enough 

for the seasoned veteran."







Details



*******

 

It's possible to make a malformed http request for many files in

geeeekShop Shopping Cart and in doing so trigger an error. 

The resulting error message will disclose potentially sensitive 

installation 

path information to the remote attacker.



Example:



http://www.site.com/shop/?category=xxxxxx&parent=0&page=x&/'





If we do a simple http request for many files in geeeekShop Shopping Cart 

we

will have the same problem.



Example:



http://www.site.com/shop/php_files/site.config.php 









Solution:



*********



The vendor has been contacted and a patch is not yet produced.





Suggestions:



************



Filter all files. 





G00db0y - www.zone-h.org admin



Original advisory here: http://www.zone-h.org/en/advisories/read/id=2853/