SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   JustAddCommerce Vendors:   Rich Media Technologies
(Vendor States That There is No Vulnerabilitiy) Re: Rich Media Technologies JustAddCommerce E-commerce Software Discloses User Passwords to Local Users
SecurityTracker Alert ID:  1005260
SecurityTracker URL:  http://securitytracker.com/id/1005260
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 20 2002
Impact:   Disclosure of authentication information


Description:   A vulnerability was reported in the Rich Media Technologies JustAddCommerce e-commerce addon for Dreamweaver and FrontPage, but the vendor has responded that there is no vulnerability.

In the original report, SecuriTeam reported that there was an information disclosure vulnerability in the JustAddCommerce shopping cart software. It was reported that the 'rtm.log' file contains customer IDs and passwords that are stored in plain text.

The vendor has responded that the observed behavior as reported by SecuriTeam was due to a test file being inadvertently present on the server and is *not* due to a vulnerability in the product or the product's configuration.

According to the vendor, the 'RMT.LOG' file that was reported to contain usernames and passwords was only a temporary test file that is not part of the distribution version or the product itself. The product apparently does not create log files that would reside on the web server front end.

Impact:   It appears that this is not a vulnerability, so there is no impact.
Solution:   It appears that this is not a vulnerability, so no solution is required.
Vendor URL:  www.richmediatech.com/justaddcommerce/index.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 22 2002 Rich Media Technologies JustAddCommerce E-commerce Software Discloses User Passwords to Local Users



 Source Message Contents

Subject:  JustAddCommerce not vulnerable


Rich Media Technologies has responded that the observed behavior as reported by SecuriTeam
was due to a test file being inadvertently present on the server and is *not* due to a
vulnerability in the product or the product's configuration.  According to the vendor, the
'RMT.LOG' file that was reported to contain usernames and passwords was only a temporary
test file that is not part of the distribution version or the product itself.  The product
apparently does not create log files that would reside on the web server front end.

Portions of the vendor's response is provided below:

>>The RMT.LOG file was a test file that contained test data (including
test user names and passwords).  The live JustAddCommerce software does
not generate any log files that would appear on the web server front
ends.  The RMT.LOG file is not a normal file for the JustAddCommerce
software; it was only on the server for testing purposes.  On the
distributed version of JustAddCommerce, there are no log files generated
as wrongfully indicated in the report from SecuriTeam.<<

For more information, you can contact sales@justaddcommerce.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC