more info available at
http://cgi.nessus.org/plugins/dump.php3?id=10712
Info on
BugTraq:
QuikStore
http://www.quikstore.com/
Platforms: Win32 / *Nix (Perl5)
Executable: quikstore.cgi
Exposed Order info: quikstore.cfg* (see note)
Status: Commercial ($175.00+ depending on options)
Number of exposed installs found: 3
PGP Option Available?: Unknown.
NOTE: This is, IMHO, one of the most dangerous of the lot, but
thankfully, one of the lowest number of discovered exposures. Although
the order information itself is secured behind an htaccess name/pwd
pair, the config file is not. The config file is world readable, and
contains the CLEAR TEXT of the ADMINS user id and password
- rendering the entire shopping cart vulnerable to an intruder.
QuikStore's "password protected Online Order Retrieval System" can be
wide open to the world. (Armed with the name and pwd, the web visitor
IS the administrator of the shopping cart, and can view orders, change
settings and order information - the works.)
other files available on WEB :
orders.txt
order.txt
import.txt
checks.txt
order_log
order.log
orders.log
orders_log
log_order
log_orders
temp_order
temp_orders
order_temp
orders_temp
quikstore.cfg
quikstore.cgi
order_log_v12.dat
also order_log.dat
web_store.cgi
storemgr.pw
admin.pw
cc.txt
ck.log
shopper.conf
more info ( in russian language ):
http://www.krematoriy.com/mht/credit_card/credit_7.html
for encryption try to gather all files and *.cgi to check the encr/decry algorithm ... but i guess your time's wasted because of the
password protected Online Order Retrieval System, check out the
BugTraq section again :)
Pozdrav StratOS
"Multitasking - ability to f##k up several things at once."
"It works better if you plug it in."
"As a rule, software systems do not work well until they have been used, and have failed repeatedly, in real applications."
"The one who is digging the hole for the other to fall in is allready in it."