Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Credit Card data disclosure in CitrusDB
From: ZATAZ <exploits () zataz net>
Date: Sun, 13 Feb 2005 15:07:15 +0100

Hello,

As I can see this is not the only adviso for CitrusDB.

http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-002.txt
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-003.txt
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-004.txt
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-005.txt

Also new adviso for awstats 6.2 :

http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-006.txt

JPEG EXIF information disclosure :

http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-008.txt

This adviso are not official ?

Regards.

Le 12 févr. 05, à 23:31, Maximillian Dornseif a écrit :

Credit Card data disclosure in CitrusDB

A group of students at our lab called RedTeam found an information
disclosure vulnerability in CitrusDB which can result in disclosure of
credit card information.

Details
=======

Product: CitrusDB
Affected Version: <= 0.3.5
Immune Version: >=0.3.6
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://www.citrusdb.org/
Vendor-Status: informed, new version released
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-001
CVE: CAN-2005-0229

Introduction
============

Description from vendor:
"CitrusDB is an open source customer database application that uses PHP
and a database backend (currently MySQL) to keep track of customer
information, services, products, billing, and customer service
information."

CitrusDB uses a textfile to temporarily store credit card information.
This textfile is located in the web tree via a static URL and thus
accessible to third parties. It also isn't deleted after processing
resulting in a big window of opportunity for an attacker.

More Details
============

The URL to the textfile "<path to CitrusDB>/io/newfile.txt" is stated
in the files "tools/uploadcc.php" and "tools/importcc.php". The <path
to CitrusDB> is always known while surfing. Therefor also "newfile.txt"
containing the credit card data can be easily found and accessed. This
leads to disclosure of the confidential data stored in that file.

Proof of Concept
================

Add "/citrusdb/io/newfile.txt" to the URL of a site running CitrusDB
default installation.

Workaround
==========

Either deny access to the file using access restriction features of
your webserver or change CitrusDB to use a file outside document root
and not accessible via http.

Fix
===

Update to CitrusDB version 0.3.6 or higher and set the $path_to_ccfile
in the configuration to a path not accessible via http

Security Risk
=============

The software is still beta, so it probably isn't widely used. To sites
running CitrusDB, the risk is very high because credit card data is
concerned. Disclosure of credit card data can lead to serious liability
issues for the site.

Vendor Status
=============

2005-01-28 Email sent to author
2005-01-28 Answer from author received, new version released

RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find
more Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Cordialement

-----------------------------------------------------

Eric Romang / ZATAZ / ZATAZ Internet
Co-fondateur de ZATAZ
President Association ZATAZ Internet
eromang () zataz net
http://www.zataz.com
GSM : +352 091 600 404
B.P. 311
59474 Seclin Cedex
France

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault