CitrusDB Credit Card Data Remote Information Disclosure Vulnerability
BID:12402
Info
CitrusDB Credit Card Data Remote Information Disclosure Vulnerability
| Bugtraq ID: | 12402 |
| Class: | Access Validation Error |
| CVE: |
CVE-2005-0229 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 31 2005 12:00AM |
| Updated: | Jul 12 2009 10:06AM |
| Credit: | Reported by Maximillian Dornseif <[email protected]> . |
| Vulnerable: |
CitrusDB Customer Database 0.3.5 CitrusDB Customer Database 0.3.1 CitrusDB Customer Database 0.3 CitrusDB Customer Database 0.2.1 CitrusDB Customer Database 0.2 CitrusDB Customer Database 0.1.2 |
| Not Vulnerable: |
CitrusDB Customer Database 0.3.6 |
Discussion
CitrusDB Credit Card Data Remote Information Disclosure Vulnerability
A remote information disclosure issue affects CitrusDB. This issue is due to a design problem that grants unauthorized users the ability to export sensitive data.
An attacker may leverage this issue to gain access to sensitive information including credit card data.
A remote information disclosure issue affects CitrusDB. This issue is due to a design problem that grants unauthorized users the ability to export sensitive data.
An attacker may leverage this issue to gain access to sensitive information including credit card data.
Exploit / POC
CitrusDB Credit Card Data Remote Information Disclosure Vulnerability
No exploit is required to leverage this issue. To exploit a default configuration, the attacker needs only access:
[path to CitrusDB]/io/newfile.txt
where [path to CitrusDB] is the path relative to the web root.
No exploit is required to leverage this issue. To exploit a default configuration, the attacker needs only access:
[path to CitrusDB]/io/newfile.txt
where [path to CitrusDB] is the path relative to the web root.
Solution / Fix
CitrusDB Credit Card Data Remote Information Disclosure Vulnerability
Solution:
The vendor has provided an upgrade dealing with this issue.
CitrusDB Customer Database 0.1.2
CitrusDB Customer Database 0.2
CitrusDB Customer Database 0.2.1
CitrusDB Customer Database 0.3
CitrusDB Customer Database 0.3.1
CitrusDB Customer Database 0.3.5
Solution:
The vendor has provided an upgrade dealing with this issue.
CitrusDB Customer Database 0.1.2
-
CitrusDB CitrusDB 0.3.6
http://www.citrusdb.org/citrus-0.3.6.tar.gz
CitrusDB Customer Database 0.2
-
CitrusDB CitrusDB 0.3.6
http://www.citrusdb.org/citrus-0.3.6.tar.gz
CitrusDB Customer Database 0.2.1
-
CitrusDB CitrusDB 0.3.6
http://www.citrusdb.org/citrus-0.3.6.tar.gz
CitrusDB Customer Database 0.3
-
CitrusDB CitrusDB 0.3.6
http://www.citrusdb.org/citrus-0.3.6.tar.gz
CitrusDB Customer Database 0.3.1
-
CitrusDB CitrusDB 0.3.6
http://www.citrusdb.org/citrus-0.3.6.tar.gz
CitrusDB Customer Database 0.3.5
-
CitrusDB CitrusDB 0.3.6
http://www.citrusdb.org/citrus-0.3.6.tar.gz
References
CitrusDB Credit Card Data Remote Information Disclosure Vulnerability
References:
References:
- [Full-Disclosure] Credit Card data disclosure in CitrusDB (Maximillian Dornseif
- CitrusDB 0.3.6 Change Log (CitrusDB)
- CitrusDB Customer Database Home Page (CitrusDB)