[原文]Katrien De Graeve a.shopKart 2.0 (aka ashopKart20) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) admin/scart.mdb and possibly (2) admin/scart97.mdb.
a.shopKart scart.mdb Direct Request Customer Information Disclosure
Remote / Network Access
Loss of Confidentiality
a.shopKart contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests the scart.mdb database which is stored in the web root by default. Access to this database will disclose customer information resulting in a loss of confidentiality.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Move the scart.mdb file out of the web root.