DCShop is a complete shopping cart system for your e-commerce website. Multiple security vulnerabilities in the product allow attackers to gain access to sensitive files (for example, files that contain credit card numbers).
Multiple security vulnerabilities DCShop allow unauthorized persons via a Web browser to retrieve customer credit card numbers in clear text. Although the developers on their Web site recommend not using the beta product for commercial use, several commercial sites are using this version on production machines.
The issue shows up on improperly configured servers, i.e. where the "Everyone"-group has "Full Access" to the CGI-BIN or sub-folders.
If a request is made to the following URL:
The web host will send back a text file with all recent orders, including the end-users name, shipping and billing-address, e-mail address and credit card numbers with expiration dates.
It is also possible to find the administrator name and password by requesting a different file: