‘A-CART Database Exposure’

Summary

A-CART is an ASP shopping cart application written in VBScript. It is comprised of a number of ASP scripts and an Access database.

A security vulnerability in the product allows remote attackers to download the product’s database, thus gain access to sensitive information about users of the product (name, surname, address, e-mail, credit card number, and user’s login-password).’

Credit:

‘The information has been provided by Tacettin Karadeniz.’


Details

Problem:
Accessing the following URL will return the database used by the product:
http://acart.url/acart2_0/acart2_0.mdb

Solutions:
Once you have created the DSN, you need to tell A-CART its name. This can be done by editing the line in db.asp, which says:
strConn = ‘acart2_0’

Change ‘acart2_0′ to the name of the DSN you have created.’

Categories: Windows