ZH2003-9SA (security advisory): .netCart information disclusure Published: 16/07/2003 Released: 16/07/2003 Name: .netCart Affected Systems: All versions (?) Issue: Remote attackers can obtain admin information (including passwords) Author: G00db0y@zone-h.org Description *********** Zone-h Security Team has discovered a serious security flaw in .netCart current version (and older versions?). ".netCART is a full featured ecommerce and shopping cart component designed for ASP.NET. This product provides a complete ecommerce solution for ASP.NET." Details ******* .netCART is designed for ASP.NET, so it works with xml files. It's possible to retrieve the source of one of this file with admin information. Then it's possible to login in such service like ups.com, usps.com, www.authorizenet.com with these informations and it's possible to see many more information from there. The file with this problem is here: http://www.example.com/Data/settings.xml Solution: ********* The vendor has been contacted and a patch is not yet produced Suggestions: ************ Protect this file. G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2708/
