 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.10718 |
| Category: | Web application abuses |
| Title: | DCShop exposes sensitive files |
| Summary: | We detected a vulnerable version of the DCShop CGI.; This version does not properly protect user and credit card information.; It is possible to access files that contain administrative passwords,; current and pending transactions and credit card information (along with name,; address, etc). |
| Description: | Summary: We detected a vulnerable version of the DCShop CGI. This version does not properly protect user and credit card information. It is possible to access files that contain administrative passwords, current and pending transactions and credit card information (along with name, address, etc). Solution: 1. Rename following directories to something hard to guess: - Data - User_carts - Orders - Auth_data 2. Make these changes to dcshop.setup and dcshop_admin.setup. - In dcshop.setup, modify: $datadir = '$cgidir/Data' $cart_dir = '$cgidir/User_carts' $order_dir = '$cgidir/Orders' - In dcshop_admin.setup, modify: $password_file_dir = '$path/Auth_data' 3. Rename dcshop.setup and dcshop_admin.setup to something difficult to guess. For example, dcshop_4314312.setup and dcshop_admin_3124214.setup 4. Edit dcshop.cgi, dcshop_admin.cgi, and dcshop_checkout.cgi and modify the require statement for dcshop.setup and dcshop_admin.setup. That is: - In dcshop.cgi, modify require '$path/dcshop.setup' so that it uses new setup file. For example, require '$path/dcshop_4314312.setup' - In dcshop_admin.cgi, modify require '$path/dcshop.setup' require '$path/dcshop_admin.setup' so that it uses new setup file. For example, require '$path/dcshop_4314312.setup' require '$path/dcshop_admin_3124214.setup' - In dcshop_checkout.cgi, modify require '$path/dcshop.setup' so that it uses new setup file. For example, require '$path/dcshop_4314312.setup' 5. Save following file as index.html and upload it to your /cgi-bin/dcshop directory, thereby hiding directory listing. On NT servers, you may have to rename this file to default.htm. This page show 'Internal Server Error' so it is not an error page... it's just an index.html file to HIDE directories. 6. Replace your current files with above files. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2001-0821 BugTraq ID: 2889 http://www.securityfocus.com/bid/2889 Bugtraq: 20010618 DCShop vulnerability (Google Search) http://archives.neohapsis.com/archives/bugtraq/2001-06/0233.html XForce ISS Database: dcshop-cgi-retrieve-information(6707) https://exchange.xforce.ibmcloud.com/vulnerabilities/6707 |
| Copyright | Copyright (C) 2001 SecuriTeam & Copyright (C) 2000 Noam Rathaus |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |