Full Disclosure mailing list archives
Credit Card data disclosure in CitrusDB
From: Maximillian Dornseif <dornseif () informatik rwth-aachen de>
Date: Sat, 12 Feb 2005 23:31:03 +0100
Credit Card data disclosure in CitrusDB A group of students at our lab called RedTeam found an information disclosure vulnerability in CitrusDB which can result in disclosure of credit card information. Details ======= Product: CitrusDB Affected Version: <= 0.3.5 Immune Version: >=0.3.6 OS affected: all Security-Risk: very high Remote-Exploit: yes Vendor-URL: http://www.citrusdb.org/ Vendor-Status: informed, new version released Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-001 CVE: CAN-2005-0229 Introduction ============ Description from vendor: "CitrusDB is an open source customer database application that uses PHP and a database backend (currently MySQL) to keep track of customer information, services, products, billing, and customer service information." CitrusDB uses a textfile to temporarily store credit card information. This textfile is located in the web tree via a static URL and thus accessible to third parties. It also isn't deleted after processing resulting in a big window of opportunity for an attacker. More Details ============ The URL to the textfile "<path to CitrusDB>/io/newfile.txt" is stated in the files "tools/uploadcc.php" and "tools/importcc.php". The <path to CitrusDB> is always known while surfing. Therefor also "newfile.txt" containing the credit card data can be easily found and accessed. This leads to disclosure of the confidential data stored in that file. Proof of Concept ================ Add "/citrusdb/io/newfile.txt" to the URL of a site running CitrusDB default installation. Workaround ========== Either deny access to the file using access restriction features of your webserver or change CitrusDB to use a file outside document root and not accessible via http. Fix === Update to CitrusDB version 0.3.6 or higher and set the $path_to_ccfile in the configuration to a path not accessible via http Security Risk ============= The software is still beta, so it probably isn't widely used. To sites running CitrusDB, the risk is very high because credit card data is concerned. Disclosure of credit card data can lead to serious liability issues for the site. Vendor Status ============= 2005-01-28 Email sent to author 2005-01-28 Answer from author received, new version released RedTeam ======= RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at http://tsyklon.informatik.rwth-aachen.de/redteam/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Credit Card data disclosure in CitrusDB Maximillian Dornseif (Feb 12)
- Re: Credit Card data disclosure in CitrusDB Loptr Chaote (Feb 13)
- RE: [lists] Re: Credit Card data disclosure in CitrusDB Curt Purdy (Feb 13)
- RE: [lists] Credit Card data disclosure in CitrusDB Curt Purdy (Feb 13)
- Re: Credit Card data disclosure in CitrusDB ZATAZ (Feb 13)
- Re: Credit Card data disclosure in CitrusDB Thierry Zoller (Feb 13)
- Re: Credit Card data disclosure in CitrusDB ZATAZ (Feb 13)
- Re: Credit Card data disclosure in CitrusDB Thierry Zoller (Feb 13)
- Re: Credit Card data disclosure in CitrusDB Loptr Chaote (Feb 13)