CVE-2002-1798

MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php.

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name	Vendor	Start Version	End Version
Midicart_php	Midicart	- (including)	- (including)
Midicart_php_maxi	Midicart	- (including)	- (including)
Midicart_php_plus	Midicart	- (including)	- (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/127.html
https://cwe.mitre.org/data/definitions/143.html
https://cwe.mitre.org/data/definitions/144.html
https://cwe.mitre.org/data/definitions/668.html
https://cwe.mitre.org/data/definitions/87.html

References

http://archives.neohapsis.com/archives/bugtraq/2002-10/0016.html
http://www.iss.net/security_center/static/10306.php
http://www.securityfocus.com/bid/5851
http://www.securityfocus.com/bid/5855

NVD	https://nvd.nist.gov/vuln/detail/CVE-2002-1798
CWE	https://cwe.mitre.org/data/definitions/425.html

Direct Request ('Forced Browsing')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References