[10306] in bugtraq
Re: "Shopping Carts exposing CC data"
daemon@ATHENA.MIT.EDU (Richard Ford)
Wed Apr 21 20:27:30 1999
Date: Wed, 21 Apr 1999 16:25:35 -0400
Reply-To: Richard Ford <rford@HWAY.NET>
From: Richard Ford <rford@HWAY.NET>
To: BUGTRAQ@NETSPACE.ORG
Joe said:
> And now a drum roll please:
>
> Mercantec's SoftCart http://www.mercantec.com/
> Platform: Win32 (*Nix?)
> Executable: SoftCart.exe (version unknown)
> Exposed Directory: /orders and /pw
> Exposed Order Info: Files ending in "/orders/*.olf"
> Exposed Config Info: /pw/storemgr.pw
> (user ID and encrypted PW for store mgr?)
>
> Number of exposed installs: 1
> PGP Option Available?: Unknown
> NOTES:
>
> This one has only been found vulnerable on ONE server. (user error?) The
> encryption scheme on the storemgr.pw password is unrecognized by me but
> I'm not an encryption guru. Someone's bound to recognize it.
>
> This is a scary one though - HiWay technologies is one of the largest
> domain hosts in the world, with over 120,000 domains. They are using
> SoftCart for clients that request ECommerce capabilities.
>
> The exposed install I found is hosted by HiWay.
>
> *shudder*
There's something about being so big that means that you can find almost
anything on a Hiway system :-) In this case, though, the fire alarm is
somewhat
misplaced. In its usual setup, Mercantec pgp's all the .olf files, so there
is no
"plain text" CC information. Obviously, the user can not use pgp, and I
have no doubt that that is exaclty what you found in the site(s) you looked
at.
One of the continual issues with being a Web Hosting entity is how much do
you restrict what your users can do; should we *require* a user of ours
to use a particular configuration of a product? It's a tough call. If
a large number of our sites _had_ been vulnerable though, I wish you had
given us a heads up first.
FWIW, we've blocked all downloads from that directory via http/httpds, so now
they won't get indexed or accessed... but as they should have been
encrypted, that's not such quite so urgent. Either way, it should be completed
shortly.
Richard
--
Dr. Richard Ford
Mgr. of Engineering,
Hiway Technologies, Inc.
