> Advisories > rt-sa-2005-001 vertical divider

Credit Card data disclosure in CitrusDB

RedTeam found an information disclosure vulnerability in CitrusDB which can
result in disclosure of credit card information.

Details
=======

Product: CitrusDB
Affected Version: <= 0.3.5
Immune Version: >=0.3.6
OS affected: all
Security-Risk: very high
Remote-Exploit: yes
Vendor-URL: http://www.citrusdb.org/ 
Vendor-Status: informed, new version released
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2005-001
CVE: CAN-2005-0229
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0229#)

Introduction
============

Description from vendor:
"CitrusDB is an open source customer database application that uses PHP and a
database backend (currently MySQL) to keep track of customer information,
services, products, billing, and customer service information."

CitrusDB uses a textfile to temporarily store credit card information. This
textfile is located in the web tree via a static URL and thus accessible to
third parties. It also isn't deleted after processing resulting in a big
window of opportunity for an attacker.

More Details
============

The URL to the textfile "<path to CitrusDB>/io/newfile.txt" is stated in the
files "tools/uploadcc.php" and "tools/importcc.php". The <path  to CitrusDB>
is always known while surfing. Therefor also "newfile.txt" containing the
credit card data can be easily found and accessed. This leads to disclosure
of the confidential data stored in that file.

Proof of Concept
================

Add "/citrusdb/io/newfile.txt" to the URL of a site running CitrusDB default
installation.

Workaround
==========

Either deny access to the file using access restriction features of your
webserver or change CitrusDB to use a file outside document root and not
accessible via http.

Fix
===

Update to CitrusDB version 0.3.6 or higher and set the $path_to_ccfile in the
configuration to a path not accessible via http

Security Risk
=============

The software is still beta, so it probably isn't widely used. To sites
running CitrusDB, the risk is very high because credit card data is
concerned. Disclosure of credit card data can lead to serious liability
issues for the site.

History
=======

2005-01-28 Email sent to author
2005-01-28 Answer from author received, new version released
2005-01-29 CVE number requested
2005-02-12 Posted as CAN-2005-0229
2009-05-08 Updated Advisory URL

RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
information on the RedTeam Project at
http://www.redteam-pentesting.de