[10291] in bugtraq
Re: Shopping Carts exposing CC data
daemon@ATHENA.MIT.EDU (Joe)
Tue Apr 20 19:14:38 1999
Date: Tue, 20 Apr 1999 13:34:57 -0700
Reply-To: Joe <joe@GONZO.BLARG.NET>
From: Joe <joe@GONZO.BLARG.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990419190407.5915B-100000@gonzo.blarg.net>
My apologies for the canned response, but I'm getting an email request for
specifics on this mess averaging 1 per minute - so I'll post this to the
list.
To answer many questions all at once:
CNet has not posted the story yet. (This is a good thing) More time to
minimize the damage...
The larger ECommerce sites usually write their stuff in house. As such,
places like Onsale.com, Amazon.com etc are not, to my knowledge,
vulnerable in the least. The ones you need to concern yourself with are
those that purchase 3rd party shopping systems and then install them
incorrectly. From what I've been able to gather, it's the smaller
mom-n-pop operations that are causing the most damage.
If a cart is not listed here, it should not be considered vulnerable in
the slightest. I myself have no problem doing business with Amazon,
Onsale, SurplusAuction, UBid, Buy.com et al. This doesn't mean you
shouldn't check your own installs though.
It would perhaps be prudent for ECommerce sites to reveal their
architecure and security scheme within their privacy statements. I for
one would like to hear them all say "No un-encrypted data stored on
servers - period." (This is our own policy) Hell, something as simple as
a 1024b PGP scheme with off-net private keys would make me deliriously
happy.
Please don't ask me if your particular cart is "vulnerable". Check for
yourself, since ALL of the carts listed below CAN be secured and are
usually only exposing data when the end user fsks up the install. Simply
check all files that contain customer data (order.log etc..) and see if
it's available to a web browser. You should already have the path to it,
so plug in the url to that file, if it comes up, you got problems.
It should be noted that these are not "bugs" in the common vernacular,
just improperly installed/maintained carts.
Under NO circumstances should any of the carts listed below be
blacklisted or considered unsafe. Quite the contrary. Many of the carts
listed below provide PGP options that would completely eliminate this
problem. Sadly, too few cart users are utilizing these options and
instead are taking the path of least resistance.
Here are the six shopping carts that, when installed contrary to their
documentation or are improperly maintained can expose order information.
All of the exposed information generated by these carts was discovered
through a public search engine.
Selena Sol's WebStore 1.0 http://www.extropia.com/
Platforms: Win32 / *Nix (Perl5)
Executable: web_store.cgi
Exposed Directory: Admin_files
Exposed Order info: Admin_files/order.log
Status: Commercial ($300)/ Demo available.
Number of exposed installs found: 100+
PGP Option available?: Yes
Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html
Platforms: Win32 / *Nix (Perl5)
Executable: ?
Exposed Directory: Varies, commonly "Orders" "order" "orders" etc..
Exposed Order Info: order_log_v12.dat (also order_log.dat)
Status: Shareware ($15/$25 registration fee)
Number of exposed installs found: 15+
PGP Option available?: Unknown.
Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/
Platforms: Win32 / *Nix (Perl5)
Executable: mall2000.cgi
Exposed Directory: mall_log_files
Exposed Order Info: order.log
Status: Commercial ($225.00+ options)
Number of exposed installs found: 20+
PGP Option Available?: YES
QuikStore http://www.quikstore.com/
Platforms: Win32 / *Nix (Perl5)
Executable: quikstore.cgi
Exposed Order info: quikstore.cfg* (see note)
Status: Commercial ($175.00+ depending on options)
Number of exposed installs found: 3
PGP Option Available?: Unknown.
NOTE: This is, IMHO, one of the most dangerous of the lot, but
thankfully, one of the lowest number of discovered exposures. Although
the order information itself is secured behind an htaccess name/pwd
pair, the config file is not. The config file is world readable, and
contains the CLEAR TEXT of the ADMINS user id and password
- rendering the entire shopping cart vulnerable to an intruder.
QuikStore's "password protected Online Order Retrieval System" can be
wide open to the world. (Armed with the name and pwd, the web visitor
IS the administrator of the shopping cart, and can view orders, change
settings and order information - the works.)
PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/
Platforms: Win32 / *Nix (C/C++(?))
Executable: shopper.cgi
Exposed Directory: PDG_Cart/ (may differ between installs)
Exposed Order info: PDG_Cart/order.log
Exposed Config info: PDG_Cart/shopper.conf (see note)
Status: Commercial ($750+ options)
Number of exposed installs found: 1+ (They installed it on our server)
PGP Option Available?: Unknown. (Couldn't get a yes or no outta them)
NOTE: if they renamed the order log, shopper.conf will tell you where
it's at and what it was named - worse, shopper.conf exposes the clear
text copy of Authnet_Login and Authnet_Password, which gives you full
remote administrative access to the cart. shopper.conf, from what I can
determine based on the company installed version we have here, is world
readable and totally unsecured.
And now a drum roll please:
Mercantec's SoftCart http://www.mercantec.com/
Platform: Win32 (*Nix?)
Executable: SoftCart.exe (version unknown)
Exposed Directory: /orders and /pw
Exposed Order Info: Files ending in "/orders/*.olf"
Exposed Config Info: /pw/storemgr.pw
(user ID and encrypted PW for store mgr?)
Number of exposed installs: 1
PGP Option Available?: Unknown
NOTES:
This one has only been found vulnerable on ONE server. (user error?) The
encryption scheme on the storemgr.pw password is unrecognized by me but
I'm not an encryption guru. Someone's bound to recognize it.
This is a scary one though - HiWay technologies is one of the largest
domain hosts in the world, with over 120,000 domains. They are using
SoftCart for clients that request ECommerce capabilities.
The exposed install I found is hosted by HiWay.
*shudder*
Any and all opinions expressed here are solely those of the author and
do not reflect the views, policies, practices or opinions of my employer.
Joe.
--
Joe H. Technical Support
General Support: support@blarg.net Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
