ClickCartPro E-Commerce Software Configuration Error May Disclose Administrator Password to Remote Users
SecurityTracker Alert ID: 1004825|
SecurityTracker URL: http://securitytracker.com/id/1004825
(Links to External Site)
Updated: Jun 3 2008|
Original Entry Date: Jul 24 2002
Disclosure of authentication information|
Vendor Confirmed: Yes Exploit Included: Yes |
A configuration vulnerability was reported in the ClickCartPro commerce software. A remote user may be able to access the administrative database containing the administrator's password.|
SecuriTeam reported that, due to an unspecified configuration error, a remote user can obtain a copy of the administrative database using the following type of URL:
According to the report, the admin_user file contains the username and password of the webmaster and administrator of the site.
SecuriTeam credits Leo Siagian and Electronic Commerce Department - Kryptronic, Inc. with reporting this flaw.
A remote user may be able to obtain the administrator's password.|
The vendor recommends in their README file that the files in the data directory be protected, either by using web server access controls on the directory or by placing the directory outside of the web document directory.|
Vendor URL: www.clickcartpro.com/app/cgi-bin/cp-app.cgi?pg=main_products_ccp (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [NEWS] ClickCartPro Security Vulnerability (Misconfiguration)|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
ClickCartPro Security Vulnerability (Misconfiguration)
<http://www.clickcartpro.com/> ClickCartPro is a complete e-commerce
solution. Manage a store with products for sale. Features include
categories, specials, shipping flexibility, admin statistics, order
tracking, discounts, a mail list program, file upload utilities, a banner
ad rotation program, multiple product options, and relationships, more. A
security vulnerability has been found in several configurations under the
Windows operating system due to a misconfiguration issue.
* ClickCartPro version 4.0
Accessing the following URL will allow access to the user's database:
The admin_user file contains the username and password of the webmaster
and administrator of the site.
From the README:
Protecting the files in the data directory is of the highest importance.
Owners who will be running this package on Apache web server with
htaccess file protection enabled can place this directory in the same
location as the web accessible portion of their site. .htaccess files are
provided with the directory to ensure browsing via the web will not be
allowed. For those owners with Windows servers or for those not running
Apache web server, it is highly recommended that the data directory be
stored in a non-web accessible portion of your account.
The information has been provided by <mailto:firstname.lastname@example.org> Leo
Siagian and <mailto:email@example.com> Electronic Commerce Department -
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages.