CVE

Id
589  
CVE No.
CVE-1999-0607  
Status
Candidate  
Description
quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under the web document root with insufficient access control, which allows remote attackers to obtain the cleartext administrator password and gain privileges.  
Phase
Modified (20060608)  
Votes
ACCEPT(1) Baker | MODIFY(1) Frech | NOOP(3) Christey, Northcutt, Wall  
Comments
Frech> XF:quikstore-misconfig(3858) | Christey> http://www.quikstore.com/help/pages/Security/security.htm says: | | "It is IMPORTANT that during the setup of the QuikStore program, you | check to make sure that the cgi-bin or executable program directory | of your web site not be viewable from the outside world. You don"t | want the users to have access to your programs or log files that could | be stored there! | | ... | | If you can view or download these files from the browser, someone | else can too" | | So is this a configuration problem? See the configuration file at | http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm | The [DIRECTORY_PATHS] section identifies pathnames and describes how | pathnames are constructed. It clearly uses relative pathnames, | so all data is underneath the base directory!! | | If we call this a configuration problem, then maybe this (and | all other "CGI-data-in-web-tree" configuration problems) should | be combined. | Christey> Consider adding BID:1983  

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
1100 589 CVE-1999-0607 BUGTRAQ:19990420 Shopping Carts exposing CC data  View

Related JVN