| VID |
21765 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Comersus Shopping Cart program allows anyone to download its customer database file. Comersus Shopping Cart is a freely available shopping cart program for Microsoft Windows and Linux operating systems. Comersus Shopping Cart fails to restrict access to its customer database file, 'database/comersus.mdb', which contains all orders history including customers credit card numbers, order information, all admin and users passwords, etc. Further, the problem is that Comersus encryption tool use a default password to encrypt and decrypt credit card numbers for each version. And the data can be decrypted trivially since the application uses the same default password for each version of the application to encrypt and decrypt data.
* References:
http://www.morx.org/comersus.txt
* Platforms Affected:
Comersus Open Technologies, Comersus Shopping Cart Any version
Linux Any version
Microsoft Windows Any version |
| Recommendation |
No upgrade or patch available as of November 2005.
Upgrade to the latest version of Comersus Shopping Cart, when new fixed version becomes available from the Comersus Open Technologies Download site at http://www.comersus.com/comersus-downloads/ |
| Related URL |
(CVE) |
| Related URL |
15251 (SecurityFocus) |
| Related URL |
(ISS) |
|
