Cookie Cart passwd.txt Authentication Credential Disclosure

2005-05-23T07:42:28
ID OSVDB:16755
Type osvdb
Reporter SoulBlack - Security Research(group@soulblack.com.ar)
Modified 2005-05-23T07:42:28

Description

Vulnerability Description

Cookie Cart contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to encrypted passwords when a browser request for the passwd.txt file occurs, which may lead to a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Secure the passwd.txt file using .htaccess

Short Description

Cookie Cart contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to encrypted passwords when a browser request for the passwd.txt file occurs, which may lead to a loss of confidentiality.

Manual Testing Notes

http://[victim]/cart/data/passwd.txt

References:

Vendor URL: http://www.metromkt.net/ccart Security Tracker: 1014026 Secunia Advisory ID:15448 Related OSVDB ID: 16753 Related OSVDB ID: 16754 Other Advisory URL: http://www.soulblack.com.ar/repo/papers/cookiec_advisory.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0261.html CVE-2005-1733