Home page logo
/

bugtraq logo Bugtraq mailing list archives

ZH2003-17SA (security advisory): geeeekShop Shopping Cart Path Disclosure
From: G00db0y <G00db0y () zone-h org>
Date: 9 Aug 2003 13:28:46 -0000



ZH2003-17SA (security advisory): geeeekShop Shopping Cart Path Disclosure


Published: 9 august 2003

Released: 9 august 2003

Name: geeeekShop Shopping Cart System 

Affected Systems: 1.4.0

Issue: Remote attackers can know the path of the site

Author: G00db0y () zone-h org

Vendor: http://www.geeeeksoft.com

Description

***********

Zone-h Security Team has discovered a flaw in geeeekShop Shopping Cart
v1.4.0. "geeeekShop is a PHP / MySQL based shopping cart system that is 
easy enough for somebody who is new to the internet but powerful enough 
for the seasoned veteran."



Details

*******
 
It's possible to make a malformed http request for many files in
geeeekShop Shopping Cart and in doing so trigger an error. 
The resulting error message will disclose potentially sensitive 
installation 
path information to the remote attacker.

Example:

http://www.site.com/shop/?category=xxxxxx&parent=0&page=x&/&apos;


If we do a simple http request for many files in geeeekShop Shopping Cart 
we
will have the same problem.

Example:

http://www.site.com/shop/php_files/site.config.php 




Solution:

*********

The vendor has been contacted and a patch is not yet produced.


Suggestions:

************

Filter all files. 


G00db0y - www.zone-h.org admin

Original advisory here: http://www.zone-h.org/en/advisories/read/id=2853/


  By Date           By Thread  

Current thread:
  • ZH2003-17SA (security advisory): geeeekShop Shopping Cart Path Disclosure G00db0y (Aug 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault