Title: DCForum DCShop File Disclosure Vulnerability
Severity: CRITICAL
Description:
DCScripts DCShop File Disclosure Vulnerability
DCShop is a GCI-based ecommerce system from DCScripts.
By default, DCShop installs into default easily-guessed directories such as /Orders, /Auth-data, /User_carts, etc.
Under certain configurations, a beta version of this product can allow a remote user to request and obtain files from these directories, which contain confidential order data, including credit card and other private customer information, as well as the DCShop administrator login ID and password. If exploited, this information could allow an attacker to interfere with the site's operations and/or further comromise its security.
This problem has been reported not to exist under properly configured web servers. Properly configured web servers permit the "Everyone" group "Full Access" to the cgi-bin directory and other sub-folders.
Affected Products:
- DC Scripts DCShop Beta 1.0.0 02
References:
- DC Scripts: DCShop Product Homepage
- DC Scripts: DCShop advisory
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
