DCShop Shopping Cart Lets Remote Users Obtain Names and Credit Card Numbers for Recent Orders
|
Date: Jun 19 2001 02:01 (UTC/GMT)
|
Impact: Disclosure of authentication information, Disclosure of user information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.002 BETA; possibly earlier betas
|
Description: A vulnerability has been reported in the beta version of DCShop, a shopping cart application. The security hold allows remote users to retrieve credit card numbers in plaintext from the server if the server is not properly configured.
It is reported that the vulnerability can only be triggered on systems that are not properly configured (for example, systems where
the "Everyone"-group is configured to have "Full Access" to the cgi-bin directory and its subdirectories). On properly configured
systems, a web-based user can only execute scripts within the cgi-bin directory and cannot view text files.
It is reported that
a remote user can obtain a text file containing all recent orders, including names, shipping addresses, billing addresses, e-mail
addresses, and credit card data by issuing the following type of URL:
http://[targethost]/cgi-bin/DCShop/Orders/orders.txt
It
is also reportedly possible for a remote user to obtain the administrator's name and password in a different text file by issuing
the following type of URL:
http://[targethost]/cgi-bin/DCShop/Auth_data/auth_user_file.txt
Note that the vendor recommends against
using the beta version for e-commerce.
|
Impact: A remote user can obtain names, addresses, and credit card data for recent orders from the server. A remote user may also be able to obtain the administrator's username and password from the server.
|
Solution: The vendor has posted configuration recommendations. See the Vendor URL.
|
Vendor URL: www.dcscripts.com/dcforum/dcshop/44.html (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
|
Reported By: Peter Helms <peter.helms@ey.dk>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 18 Jun 2001 12:08:54 -0000
From: Peter Helms <peter.helms@ey.dk>
Subject: DCShop vulnerability
|
DCShop vulnerability
We have seen several Web shops using your
DCShop product as E-commerce system, where it is
possble for unauthorized persons via a Web browser
to retrieve customer creditcard numbers in cleartext.
Athough the developers on their Web site
recommends not to use the beta product for
commercial use, we have found sites already using it
commercially.
The issue does not show up on properly configured
servers, i.e. where the "Everyone"-group has "Full
Access" to the CGI-BIN or sub-folders, more info
below.
The requests are made of the following URL:
http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt
This will triger the Web host to send a text file with all
recent orders, including the end-users name,
shipping and billing-address, e-mail address AND
CREDIT CARD NUMBERS with exp-dates.
It is also in some cases possible to find the
administrator name and password in another text file
from an URL:
http://theTargetHost/cgi-
bin/DCShop/Auth_data/auth_user_file.txt
We have reported this issue to the developer,
DCscripts.com, who within hours posted a security
issue bulletin on their web site to clarify the
recommendations for their software:
http://www.dcscripts.com/dcforum/dcshop/44.html
Peter Helms
Ernst & Young, Denmark
peter.helms@ey.dk
|
|
