Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:PKG:CART32-ADM-PW-CHG |
|---|---|
Severity |
Critical |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
cart32 Admin Password Change |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: cart32 Admin Password Change
This signature detects attempts to exploit McMurtrey/Whitaker & Associates Cart32 shopping cart. Attackers can change the administrator password to an arbitrary value without prior knowledge of the original password.
Extended Description
Within cart32.exe, entering any password by way of http://target/scripts/cart32.exe/cart32clientlist, a remote user could obtain vital client information such as username, password, credit card numbers, and other crucial details. Passwords will appear encrypted, however they can be used in conjunction with specific URL requests which can be used to execute arbitrary commands. In addition, by accessing http://target/scripts/c32web.exe/ChangeAdminPassword, a remote user is able to change the administrative password without prior knowledge of the previous password.
Affected Products
- Mcmurtrey/whitaker_&_associates cart32 2.6.0
- Mcmurtrey/whitaker_&_associates cart32 3.0.0
References
- BugTraq: 1153
- CVE: CVE-2000-0136