[12054] in bugtraq
Team Asylum: iHTML Merchant Vulnerabilities
daemon@ATHENA.MIT.EDU (Team Asylum)
Wed Sep 29 16:31:43 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <006e01bf0a16$e3c59bc0$665e163f@default>
Date: Tue, 28 Sep 1999 21:06:20 -0400
Reply-To: Team Asylum <security@TEAM-ASYLUM.COM>
From: Team Asylum <security@TEAM-ASYLUM.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Team Asylum Security
Copyright (c) 1999 By CyberSpace 2000
http://www.team-asylum.com
Source: Dave M. (davem@cyberspace2000.com)
Advisory Date: 09/16/1999
Affected
--------
All known released versions of the iHTML Merchant for Unix/Windows 95/98/NT.
Product Description
-------------------
iHTML Merchant, written by Inline Internet Systems Inc., is an e-commerce
solution programmed in iHTML which allows complicated web programming tasks
to be done by anyone with basic knowledge of HTML and their web server of
choice.
Over 2,700 online merchants run iHTML Merchant. In turn, they can run
dozens more stores off that single product. For more details about
this product visit, http://www.ihtmlmerchant.com or see Inline's site at:
http://www.inline.net.
Vulnerability Summary
---------------------
Team Asylum has discovered a vulnerability that exists in iHTML Merchant
which would allow a malicious hacker to (at the very least) view the
protected files in the website's administrative section, giving the attacker
the ability to view credit card information. If the iHTML Merchant is being
run on Windows 95/98/NT the vulnerability is much more severe. The
vulnerability exists in how iHTML Merchant parses code. The attacker
could:
1) Delete any file on the server
2) Write a file to any folder on the server.
3) Upload a trojan.
4) Steal credit card numbers, and other hidden information.
If the iHTML Merchant is being run on UNIX, the possibility exists that the
web site could be altered. These findings reflect the default settings for
95/98/NT and iHTML Merchant.
Fix
---
Below is a temporary fix that can be integrated with iHTML Merchant.
<!--- http://www.team-asylum.com -->
<iEQ name="brac" value=<iSTRIN SRC=":email" DST="<">>
<iIF NOTCOND=<iSTRNICMP SRC=:brac DST="0">>
For security reasons, your message was not sent.<br>Please verify that you
entered your email address correctly, by going <a
href="javascript:history.back(1)">back</a><br>
<iinclude name="template/footer.ihtml">
<iSTOP>
</iIF>
<!--- Fix by: Dave Meehan -->
Final Notes
-----------
This vulnerability exists because of the way the iHTML Merchant was
written but is compounded by faulty NT security settings. Team Asylum
has notified Inline Internet Systems but have received no response
whatsoever.
