CitrusDB 0.3.5 and earlier stores the newfile.txt temporary data file under the web root, which allows remote attackers to steal credit card information via a direct request to newfile.txt.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Citrusdb_customer_database | Citrusdb | 0.1.2 (including) | 0.1.2 (including) |
| Citrusdb_customer_database | Citrusdb | 0.2 (including) | 0.2 (including) |
| Citrusdb_customer_database | Citrusdb | 0.2.1 (including) | 0.2.1 (including) |
| Citrusdb_customer_database | Citrusdb | 0.3 (including) | 0.3 (including) |
| Citrusdb_customer_database | Citrusdb | 0.3.1 (including) | 0.3.1 (including) |
| Citrusdb_customer_database | Citrusdb | 0.3.5 (including) | 0.3.5 (including) |
References
- http://marc.info/?l=full-disclosure\u0026m=110824766519417\u0026w=2
- http://securitytracker.com/id?1013040
- http://www.citrusdb.org/forums/viewtopic.php?t=49
- http://www.redteam-pentesting.de/advisories/rt-sa-2005-001.txt
- http://www.securityfocus.com/bid/12402
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19145
- http://marc.info/?l=full-disclosure\u0026m=110824766519417\u0026w=2
- http://securitytracker.com/id?1013040
- http://www.citrusdb.org/forums/viewtopic.php?t=49
- http://www.redteam-pentesting.de/advisories/rt-sa-2005-001.txt
- http://www.securityfocus.com/bid/12402
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19145