CGI Online Worldweb Shopping (COWS) E-Commerce System Discloses User Information and Order Data to Remote Users and Also Permits Cross-site Scripting Attacks
SecurityTracker Alert ID: 1003309|
SecurityTracker URL: http://securitytracker.com/id/1003309
(Links to External Site)
Date: Jan 21 2002
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network|
Exploit Included: Yes |
Several vulnerabilities were reported in the CGI Online Worldweb Shopping (COWS) commerce system. The system discloses some critical information to remote users and the system enables cross-site scripting attacks.|
It is reported that the /diagnose.cgi and /compatible.cgi scripts will disclose files in the web directory and information about the system to remote users.
A remote user can reportedly obtain the 'config.asc' file from the 'cownsconf' directory, which contains the encrypted admin password and the location of the web root directory and other critical directories (e.g., 'orders', 'custdata'). A remote user can apparently view *.asc files in the 'custdata' directory containing user information (e.g., e-mail address, name, postal address, phone number, password). A remote user can apparently view information about previous orders (e.g., username, date, card type, card expiration data, price) in the 'orders' directory.
These scripts also reportedly allow a remote user to supply malicious scripts as part of a cross-site scripting attack. The following type of URLs can be used to execute scripts on the viewing user's browser:
The vendor has reportedly been notified.
A remote user can view files on the system that contain critical and sensitive information. A remote user can also conduct cross-site scripting attacks using the web site so that arbitrary code appearing to originate from the commerce web site can be executed on another user's browser, where the code can access the other user's cookies associated with the commerce site.|
No solution was available at the time of this entry.|
Vendor URL: www.cows.co.uk/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
|Underlying OS Comments: Perl-based|
Source Message Contents
Subject: Security holes in COWS (CGI Online Worldweb Shopping)|
There is some holes in the CGI e-commerce
service : COWS (CGI Online Worldweb Shopping).
/diagnose.cgi and /compatible.cgi give some
informations about the computer
and all the files in the website directory.
They can be used too for cross site scripting :
In the "cownsconf" directory, the file config.asc
contains the crypted admin password
(wich can be maybe used with cookies), the website
location in HD, the "orders" directory,
the "custdata" directory,...
In the custdata directory are a few *.asc files.
They contain user's informations :
email, name, address, phone and password.
The user's login is the file name.
In the orders directory, the purchases of the
Username, Date, Card Type, Card Expires, Card
To know what was bought, look the "item.1" value
into /*cowsconfdir*/catalog.asc .
Some details about all this (in french) here :
COWS has been warned.