Hole Title: Ecshop Database default account information, resulting in site information leakage
Related manufacturers: Shopex vulnerability Author: small machine
Submission Time: 2012-05-28
Public time: 2012-07-12
Vulnerability Type: Account system control is not strict hazard rating: Low self-evaluation rank:1
Vulnerability status: Vendor has identified the source of the vulnerability: http://www.wooyun.org
Ecshop at the default installation, the installer adds two administrator accounts, although the administrator account does not have permission to operate, but can still see the site's order data through these two accounts.
Ecshop in the default installation, the installer will add two administrator accounts, although the administrator account does not have the right to operate, but through these two accounts can still see the site's order data.
This is a screenshot of the Admin_user table.
Vulnerability proof: Casually find a ecshop website, open the background, using User name: bjgonghuo1 password: bjgonghuo1 can log in.
Or use user name: Shgonghuo Password: Shgonghuo
http://www.lefei.com/admin/
Fix scenario: Delete the default two administrators.