 |
Inicial ▼ Bookkeeping
Online ▼ Auditorias ▼
DNS
Administrado ▼
Acerca de DNS
Ordenar/Renovar
Preguntas Frecuentes
AUP
Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password Monitoreo
de Redes ▼
Enterprise
Avanzado
Estándarr
Prueba
Preguntas Frecuentes
Resumen de Precio/Funciones
Ordenar
Muestras
Configure/Status Alert Profiles | ||
| ID de Prueba: | 1.3.6.1.4.1.25623.1.0.10718 |
| Categoría: | Web application abuses |
| Título: | DCShop exposes sensitive files |
| Resumen: | We detected a vulnerable version of the DCShop CGI.; This version does not properly protect user and credit card information.; It is possible to access files that contain administrative passwords,; current and pending transactions and credit card information (along with name,; address, etc). |
| Descripción: | Summary: We detected a vulnerable version of the DCShop CGI. This version does not properly protect user and credit card information. It is possible to access files that contain administrative passwords, current and pending transactions and credit card information (along with name, address, etc). Solution: 1. Rename following directories to something hard to guess: - Data - User_carts - Orders - Auth_data 2. Make these changes to dcshop.setup and dcshop_admin.setup. - In dcshop.setup, modify: $datadir = '$cgidir/Data' $cart_dir = '$cgidir/User_carts' $order_dir = '$cgidir/Orders' - In dcshop_admin.setup, modify: $password_file_dir = '$path/Auth_data' 3. Rename dcshop.setup and dcshop_admin.setup to something difficult to guess. For example, dcshop_4314312.setup and dcshop_admin_3124214.setup 4. Edit dcshop.cgi, dcshop_admin.cgi, and dcshop_checkout.cgi and modify the require statement for dcshop.setup and dcshop_admin.setup. That is: - In dcshop.cgi, modify require '$path/dcshop.setup' so that it uses new setup file. For example, require '$path/dcshop_4314312.setup' - In dcshop_admin.cgi, modify require '$path/dcshop.setup' require '$path/dcshop_admin.setup' so that it uses new setup file. For example, require '$path/dcshop_4314312.setup' require '$path/dcshop_admin_3124214.setup' - In dcshop_checkout.cgi, modify require '$path/dcshop.setup' so that it uses new setup file. For example, require '$path/dcshop_4314312.setup' 5. Save following file as index.html and upload it to your /cgi-bin/dcshop directory, thereby hiding directory listing. On NT servers, you may have to rename this file to default.htm. This page show 'Internal Server Error' so it is not an error page... it's just an index.html file to HIDE directories. 6. Replace your current files with above files. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Referencia Cruzada: |
Common Vulnerability Exposure (CVE) ID: CVE-2001-0821 BugTraq ID: 2889 http://www.securityfocus.com/bid/2889 Bugtraq: 20010618 DCShop vulnerability (Google Search) http://archives.neohapsis.com/archives/bugtraq/2001-06/0233.html XForce ISS Database: dcshop-cgi-retrieve-information(6707) https://exchange.xforce.ibmcloud.com/vulnerabilities/6707 |
| Copyright | Copyright (C) 2001 SecuriTeam & Copyright (C) 2000 Noam Rathaus |
| Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora. |