ScriptAndTools eCommerce Information Disclosure Vulnerability in subscriber-csv.php

An information disclosure vulnerability has been identified in ScriptAndTools eCommerce-website-in-PHP version 3.0. The issue arises from improper access controls in the file subscriber-csv.php, located in the admin directory. This vulnerability allows unauthorized access to subscriber data, which can be exploited remotely, leading to potential privacy violations and reputational damage.

Impact

Exploitation of this vulnerability allows unauthorized access to subscriber information, including emails and names, which can be misused for phishing, spam, or sold to third parties, causing privacy violations and reputational harm to the affected organization.

Reproduction

To reproduce this vulnerability, access the subscriber-csv.php file in the admin directory without logging into the application. This can be done by navigating to the appropriate URL on the server where the eCommerce application is hosted. Once the URL is accessed, a CSV file named subscriber_list.csv will be downloaded automatically, containing subscriber emails and other personal information.

Remediation

Implement proper access controls to ensure that sensitive data can only be accessed by authorized users. Regularly audit and monitor access logs to detect and respond to unauthorized access attempts.