Detections
Analytics

Webcart Default Install Configuration Disclosure

medium Nessus Plugin ID 10298

Synopsis

The remote CGI script is vulnerable to information disclosure.

Description

At least one of these file or directories is world readable :

 /webcart/orders/ /webcart/orders/import.txt /webcart/carts/ /webcart/config/ /webcart/config/clients.txt /webcart-lite/orders/import.txt /webcart-lite/config/clients.txt

This misconfiguration may allow an attacker to gather the credit card numbers of your clients.

Solution

Restrict read permissions on the webcart directories.

See Also

https://marc.info/?l=bugtraq&m=92462991805485&w=2

Plugin Details

Severity: Medium

ID: 10298

File Name: webcart.nasl

Version: 1.38

Type: remote

Family: CGI abuses

Published: 9/10/1999

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Exploit Ease: No exploit is required

Vulnerability Publication Date: 4/20/1999

Reference Information

CVE: CVE-1999-0610

BID: 2281