URL: http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 Change the name Paul to Paul'
Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', address='3226 Colorado Ave', city='Santa Monica', zip='90004', stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 have a nice weekend ;-) On Saturday 05 July 2003 22:07, Tri Huynh wrote: > ProductCart database file can be downloaded remotely > ================================================= > > PROGRAM: ProductCart > HOMEPAGE: http://www.earlyimpact.com/productcart/ > VULNERABLE VERSIONS: 1.0 to 2.0 > RISK: High > > > DESCRIPTION > ================================================= > > ProductCart® is an ASP shopping cart that combines sophisticated > ecommerce features with time-saving store management tools and remarkable > ease of use. It is widely used by many e-commerce sites. > > DETAILS > ================================================= > > In the default installation, product cart database file is located at > /productcart/database/EIPC.mdb which can be accessed easily > by any remote attackers. > > Sample: http://victimhost/productcart/database/EIPC.mdb > > The database file includes the store administration password as well as > customer's info (including credit card info). > > > WORKAROUND > ================================================= > > Rename the database file, put it in a protected directory. > > > CREDITS > ================================================= > > Discovered by Tri Huynh from Sentry Union > > > DISLAIMER > ================================================= > > The information within this paper may change without notice. Use of > this information constitutes acceptance for use in an AS IS condition. > There are NO warranties with regard to this information. In no event > shall the author be liable for any damages whatsoever arising out of > or in connection with the use or spread of this information. Any use > of this information is at the user's own risk. > > > FEEDBACK > ================================================= > > Please send suggestions, updates, and comments to: [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html