[21080] in bugtraq
DCShop vulnerability
daemon@ATHENA.MIT.EDU (Peter Helms)
Mon Jun 18 20:24:10 2001
Date: 18 Jun 2001 12:08:54 -0000
Message-ID: <20010618120854.25976.qmail@securityfocus.com>
From: Peter Helms <peter.helms@ey.dk>
To: bugtraq@securityfocus.com
DCShop vulnerability
We have seen several Web shops using your
DCShop product as E-commerce system, where it is
possble for unauthorized persons via a Web browser
to retrieve customer creditcard numbers in cleartext.
Athough the developers on their Web site
recommends not to use the beta product for
commercial use, we have found sites already using it
commercially.
The issue does not show up on properly configured
servers, i.e. where the "Everyone"-group has "Full
Access" to the CGI-BIN or sub-folders, more info
below.
The requests are made of the following URL:
http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt
This will triger the Web host to send a text file with all
recent orders, including the end-users name,
shipping and billing-address, e-mail address AND
CREDIT CARD NUMBERS with exp-dates.
It is also in some cases possible to find the
administrator name and password in another text file
from an URL:
http://theTargetHost/cgi-
bin/DCShop/Auth_data/auth_user_file.txt
We have reported this issue to the developer,
DCscripts.com, who within hours posted a security
issue bulletin on their web site to clarify the
recommendations for their software:
http://www.dcscripts.com/dcforum/dcshop/44.html
Peter Helms
Ernst & Young, Denmark
peter.helms@ey.dk
