CS-Cart: Debug and configuration information - December 27, 2018¶
- December 27, 2018 – Vulnerability was found by Simtech Development AWS hosting team.
- December 27, 2018 – Fix for
robots.txtfile is ready. It will disable indexing of special technical URLs with sensitive information in the future.
- December 27, 2018 - The fix for
robots.txtwas deployed for AWS cloud hosting clients.
- December 27, 2018 - CS-Cart development team was informed about the fix for the
- December 28, 2018 - Our clients are informed about the recommendations on further actions.
- January 2, 2019 - Obtain GHDB-ID-5064
Being your AWS hosting service provider and dedicated CS-Cart fans, we could not stand aside so we contributed to CS-Cart users security. We produced a hotfix for preventing indexing of special technical URLs with sensitive information in the future, the 27th of December, 2018.
- Log in via SSH/SFTP, go to the project directory.
- Add string
Disallow: /*dispatch=debugger*to the robots.txt file after line
- Contact Google for removing sensitive information from search results
- Change all access information, API keys, credentials for other services, which are used in the CS-Cart installations.
Also, we recommend using separate servers for development and production environments. Read more here.
As the primary solution to this problem and similar ones, we recommend marking links and pages with sensitive information with special tags
Non-authorized user can exploit a Google dork, which contains a special search query. A successful exploitation of a Google Dork for your website can allow hackers to read sensitive data from the configuration files, CS-Cart settings, add-ons.
This information may be compromised:
- Database, FTP access credentials.
- CS-Cart configuration settings (mail sender information such as google accounts, license key, admin URL, etc).
- Add-ons settings (API keys, some credentials to third-party services)
Google indexes a lot of data from your website and caches sensitive information such as database accesses, application settings when the debug mode is on.