SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   VP-ASP Vendors:   Virtual Programming
Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users
SecurityTracker Alert ID:  1004382
SecurityTracker URL:  http://securitytracker.com/id/1004382
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 27 2002
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A configuration vulnerability was reported in the VP-ASP shopping cart. A remote user may be able to download the master database, which may include unencrypted credit card details. A remote user may also be able to use default passwords to take full control of the application.

It is reported that the default configuration of the shopping cart software is not secure.

According to the report, many users of the software do not change the default login usernames and passwords ('vpasp/vpasp' or 'admin/admin'). This allows remote users to login and take control of the commerce site using the following type of URL:

http://[host]/[vpasp dir]/shopadmin.asp

On many systems, the default configuration and storage file is a Microsoft Access database named shopping400.mdb or shopping300.mdb that is readable by remote users. The contents of the database, which includes customer and credit card details, is not encrypted by default.

A remote user can, without any authentication, invoke the VP-ASP diagnostic tool 'shopdbtest.asp' to determine where the database file is located, even if the location has changed. If the database file is still in its default configuration or is still under the web root directory, the remote user can download the file without authentication

Impact:   A remote user may be able to download the master database if it is still in its default configuration location. The database includes credit card details that are, by default, not encrypted. A remote user may also be able to use default user account names and passwords to take full control of the application.
Solution:   No solution was available at the time of this entry.

The vendor has reportedly confirmed the vulnerabilities and indicates that the Developer's guide and Installation guide and the FAQ on the vendor's web site address all of these issues.

Vendor URL:  www.vpasp.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(An Additional Vulnerability is Reported) Re: Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users
An additional vulnerability was reported.
(Vendor Issues Fix) Re: Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users
The vendor has issued a fix.



 Source Message Contents

Subject:  [VulnWatch] VP-ASP shopping cart software.




NOTE: Please Just ignore the tags, there just notes ect. to make a .txt 
document a little more readable, or not.

<short>
	Several  security issues in the VP-ASP shopping cart software

<dot>Path Information Disclosure Vulnerability.
<dot>Insecure perrmissions on configuration file.

</short>

<synopsis>


- A remote vulnerability in VP-ASP shopping cart software that can disclose 
the location of the database/configuration data to an unprivilaged user, and 
will allow a user to change the location of the database.

-Allow by defult, accessibilty of the database/configuration file to any 
user remotly.
</synopsis>


-- Multiple Vulnerabilities in VP-ASP software --

()()()()()()()()()()()()()()()()()()()()()()()()()()()()
		VP-ASP
()()()()()()()()()()()()()()()()()()()()()()()()()()()()

[ Kowchews security advisory]
<MD5>A71EB48778DD7953256EAAF8F02F0AD1</MD5>

Description:
( http://www.vpasp.com )
There are several problems in the "vp-asp" shopping cart software. These are 
a result of default installations.

This may allow:
An attacker to locate the database/configuration.
An attacker to change the location of the databse/configuration file.
An attacker to download the database/configuration file.
An attacker to log in as the administrator of the VP-ASP software.



Introduction:
( according to the VP-ASP website )
----------------------------------
Installation - VP-ASP installs in minutes and never modifies your computer 
in any way.

Customization - Using your browser, you will be able to configure over 240 
different features of VP-ASP. For quick shops, simply configure four items 
such as your e-mail details via the browser, add your products via the 
browser and your shop is up and running. Full online help is available.

----------------------
VP-ASP

can run on:
Windows 95/98/ME there is Personal Web Server.
Windows NT/2000/XP Professional there is IIS.
Windows XP Home. Sorry but Microsoft left you out.
and, VP-ASP Unix version will run under Chili!Soft ASP  
(www.chillisoft.com).
--------------------


Details:

Vunerable: Probably all versions to date which have not been hardened after 
being installed.

<dot> By default the login/passwords are vpasp/vpasp or admin/admin , many 
web sites do not have these changes, thus in some places anyone can login 
from the [ pretty ] web interface

http:/ / [ host ] / [ vpasp dir ] /shopadmin.asp


<dot> By default the Microsoft access configuration and storage file is 
named shopping400.mdb/shopping300.mdb, and is readable from the internet, a 
bad thing considering that it contains most, if not all of the configuration 
data including person details and credit card details which are by default, 
unencripted/protected.

editor =(   ]

<dot>Included in VP-ASP is a diagnostic tool [ shopdbtest.asp ], which is so 
kind as to give anyone who wants it the location to the database file [ 
given as xDatabase in the page ] even if the location has been changed.

NOTE:You do NOT have to be logged in as the administrator [ VP-ASP admin ] 
to download the database/config file.

NOTE: The database is an microsoft [ 2000 or 97 ] access file so,  [ 
xDatabase + .mdb ] appending a .mdb to the database location will the the 
files location.
ie. http:// [vp-asp site] / [ vp-asp dir] / [ xDatabase + .mdb ]

NOTE: Thankfully, not all sites are vunrible, many sensible administrators 
have stored the file outside of the webroot  =)  [ Followed the instructions 
on the website ], but infomation is still availible as to the locality of 
the file .

So, in some cases the database/config file is accessible via an internet 
browser

disclose the same information, but its not as pretty and doesn't keep with 
the theme of the website .[ Not exactly a huge incentive to stay away but 
..... ]

There is another reason to love shopdbtest.asp, it is able to change the 
position of the database file.

You would be able to anyway if the default user/pass was still there; 
remember :

"Using your browser, you will be able to configure over 240 different 
features of VP-ASP."

Attackers can easily search for sites [ en mass ]  running the product  [ 
VP-ASP ], just buy using a search engine , like google
[ Why would you use anything else ? ]

e.g.. http://www.google.com/search?q=allinurl%3Ashopdisplaycategories%2Easp

NOTE: shopdisplaycategories.asp is a main page for vp-asp, google gave me 
1,0** sites using this software, although it should be expected some are 
just running the demo and some are sensible.

Just have a look under "Advanced search" in your favorite search engine and 
look for shopdisplaycategories.asp ONLY in the URL of the page.

http://search.lycos.com/main/adv.asp
http://www.google.com/advanced_search

Another handy thing about the website is this 
page,http://www.vpasp.com/demos/vpaspsites/sitedisplay.asp, a list of happy 
VP-ASP users.


Fix / workaround:
I sent and email and the nice people at VP-ASP sent one back =)

<reply from support@vpasp.com>

I am unsure who you are but we are well aware of all the issues raised in
this note.

Our Developer's guide and Installation guide and our faq on our web site go
through all these issues and more


1. We absolutely recommend that the database be in a directory not viewable
from the web to prevent hacker downloads. VP-ASP fully supports this but
using either Windows indirect addressing or direct driver addresses or ODBC
connections.

2. We recommend all our diagnostic tools be taken off after the production
site it set up. Even if the database name is known, if it "off the web:, we
believe disclosing the name is of no use to the hacker.

3. We certainly recommend altering the administrative userids and passwords.
In addition we support facilities where the actual login page can be hidden.
In that case the hacker could not find the login page if they know the
password

We have to weigh ease of installation for first time e-commerce customers
and security for production sites. We believe we have accomplished this but
it is obviously up to each site owner to take our recommendations and act on
them.

Howard Kadetz
VP-ASP Support

</reply from support@vpasp.com>

The page seems to cover all of this, but still, many people are not cautious 
enough, I would like to thank the developer for his speedy responce. It 
looks like very sound reasonable and quality infomation to harden your 
VP-ASP software, but .....

I would like to make the point that after all he/she has said the VP-ASP 
website's online test [ http://www.vpasp.com/demo400/ ] is running the 
shopdbtest.asp
[ http://www.vpasp.com/demo400/shopdbtest.asp]  ,

when I put in a new database file
.xDatabase   from .\..\test --> test and pressed the "test database" button.
You'll never guess what happened !

<quote>
Database Read Database cannot be read Verify that the database is at the 
physical location in the open message Microsoft Message
Open Messages
Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
Database Write Database cannot be written Verify that the database is in a 
folder that has both read and write access Microsoft Message
Open Messages
Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
Database Permissions Database Permissions are not correct Read the FAQ on 
our web site regarding permission for the anonymous user IUSR
</quote>

Maybe someone should read the security FAQ-> 
www.vpasp.com/virtprog/info/faq_security.htm ?


Remeber connections may need passwords, which may well be specified in the 
shopdbtest.asp file.

It might not hurt to give a list of files to be removed.


<id>Kowchew.</id>


_________________________________________________________________
http://www.hotmail.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC