Multiple shopping cart .mdb database file access

shopping-cart-database-access (9816)

High Risk

Description:

Many popular shopping cart applications that use a Microsoft Access database backend do not properly restrict access to the shopping cart database file (.mdb). This could allow a remote attacker to send a specially-crafted URL request to the server to download the database and gain unauthorized access to sensitive customer information.

Platforms Affected:

• Alan Ward, A-CART 2.0
• ComCity Corporation, SalesCart-PRO
• ComCity Corporation, SalesCart-STD
• Early Impact, ProductCart 1.0 to 2.0
• eCatalogBuilders, CatalogIntegratorCart
• MetaLinks, MetaCart2.SQL
• MidiCart, Midicart ASP Maxi
• MidiCart, Midicart ASP Plus
• MidiCart, Midicart ASP
• Probe Trading International, PT Advanced Shoppingcart 1.0
• Rocksalt International, VP-ASP 4.00
• Rocksalt International, VP-ASP 5.0
• URLogy, a.shopKart 2.0

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Gain Access

References:

• Alan Ward's Web site, A-CART - Shopping online is easy at http://www.alanward.net/acart/.
• BugTraq Mailing List, Fri Jun 21 2002 - 15:44:24 CDT, Salescart vuln. at http://archives.neohapsis.com/archives/bugtraq/2002-06/0295.html.
• BugTraq Mailing List, Mon May 27 2002 - 03:54:00 CDT, VP-ASP shopping cart software. at http://archives.neohapsis.com/archives/bugtraq/2002-05/0229.html.
• BugTraq Mailing List, Sun Jun 09 2002 - 21:49:11 CDT, Re: VP-ASP shopping cart software. at http://archives.neohapsis.com/archives/bugtraq/2002-06/0061.html.
• BugTraq Mailing List, Tue Jun 18 2002 - 06:20:48 CDT, Metacart vuln. at http://archives.neohapsis.com/archives/bugtraq/2002-06/0200.html.
• BugTraq Mailing List, Wed Aug 07 2002 - 03:22:51 CDT , MidiCart Shopping Cart Software database vulnerability at http://archives.neohapsis.com/archives/bugtraq/2002-08/0074.html.
• CatalogIntegrator Web site, CatalogIntegrator Shopping Cart by eCatalogBuilders, Catalog Integrator Cart at http://www.catalogintegrator.com/.
• EarlyImpact Web site, ASP shopping cart software and custome ecommerce solutions at http://www.earlyimpact.com/index.asp.
• MetaCart Web site, Securing an Access Database at http://metalinks.com/secure.htm.
• SalesCart Web site, SalesCart - Electronic Shopping Cart for FrontPage E-commerce at http://www.salescart.com/.
• SecuriTeam.com, Windows NT focus 7 Jul 2003, ProductCart's Database File can be Downloaded From a Remote Location at http://www.securiteam.com/windowsntfocus/5DP0420AKG.html.
• URLogy Web site, a.shopKart - Free ASP shopping cart at http://www.urlogy.com/asp/ashopkart.asp.
• VP-ASP Web site, Security at http://www.vpasp.com/virtprog/info/faq_security.htm.
• VP-ASP Web site, VP-ASP Comprohensive Shopping Cart at http://www.vpasp.com/.
• BID-2299: Multiple Vendor e-commerce Shopping Cart Information Disclosure Vulnerability
• BID-5042: MetaLinks MetaCart2.SQL Database Disclosure Vulnerability
• BID-5438: Midicart ASP Remote Customer Information Retrieval Vulnerability
• BID-544: Emurl Scripting Vulnerability
• BID-5597: Alan Ward A-Cart Web Accessable Database File Vulnerability
• BID-8112: ProductCart File Disclosure Vulnerability
• CVE-2002-0943: MetaCart2.sql stores the user database under the web document root without access controls, which allows remote attackers to obtain sensitive information such as passwords and credit card numbers via a direct request for metacart.mdb.
• CVE-2002-1432: MidiCart stores the midicart.mdb database file under the Web document root, which allows remote attackers to steal sensitive information by directly requesting the database.
• CVE-2003-1304: EarlyImpact ProductCart 1.0 through 2.0 stores database/EIPC.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive database information via a direct request.
• CVE-2006-2823: Katrien De Graeve a.shopKart 2.0 (aka ashopKart20) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) admin/scart.mdb and possibly (2) admin/scart97.mdb.
• CVE-2006-2948: A-CART 2.0 stores the acart2_0.mdb file under the web document root with insufficient access control, which allows remote attackers to obtain username and password information.
• OSVDB ID: 26237: a.shopKart scart.mdb Direct Request Customer Information Disclosure
• SA20485: a.shopKart "scart.mdb" Exposure of Customer Information
• SA20508: A-CART "acart2_0.mdb" Exposure of User Credentials
• SA9195: ProductCart Database Content Disclosure Security Issue
• SECTRACK ID: 1005171: A-CART ASP-based Shopping Cart Discloses Database Contents to Remote Users
• SECTRACK ID: 1009549: a.shopKart Default Installation Discloses Database to Remote Users
• VUPEN/ADV-2006-2207: A-CART acart2_0.mdb Database File Remote Information Disclosure Vulnerability
• VUPEN/ADV-2006-2208: a.shopKart scart.mdb Database File Remote Information Disclosure Vulnerability

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page