TUCoPS :: Web :: e-commerce, shopping carts :: web5465.htm

MetaCart2.sql anonymous database access
18th Jun 2002 [SBWID-5465]
COMMAND

	Anonymous database access with poorly configured servers

SYSTEMS AFFECTED

	?

PROBLEM

	Thanks to Tacettin Karadeniz [tacettinkaradeniz@yahoo.com] post :
	

	As an example, MetaCart2.sql is an ASP based shopping  Cart  application
	with SQL database.  A  security  vulnerability  in  the  product  allows
	attackers to access the database used for  storing  user  provided  data
	(Credit cart numbers, Names, Surnames, Addresses, E-mails, etc).
	

	Accessing any of the following URL will return the database used by  the
	product:
	

	http://xxxshop/database/metacart.mdb

	http://xxxshop/metacart/database/metacart.mdb

	

	

SOLUTION

	 Update (13 August 2002)

	 ======

	

	The Metacart team has put up a web page explaining proper  configuration
	of your web server to avoid this kind of  vulnerability,  which  is  not
	Metacart specific. See :
	

	http://metalinks.com/secure.htm

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH