SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   VP-ASP Vendors:   Virtual Programming
(An Additional Vulnerability is Reported) Re: Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users
SecurityTracker Alert ID:  1004384
SecurityTracker URL:  http://securitytracker.com/id/1004384
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 28 2002
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in the VP-ASP shopping cart. A remote user may be able to download the master database, which may include unencrypted credit card details. A remote user may also be able to use default passwords or SQL injection attacks to take full control of the application.

In the original alert, it was reported that the default configuration of the shopping cart software is not secure.

According to the original report, many users of the software do not change the default login usernames and passwords ('vpasp/vpasp' or 'admin/admin'). This allows remote users to login and take control of the commerce site using the following type of URL:

http://[host]/[vpasp dir]/shopadmin.asp

On many systems, the default configuration and storage file is a Microsoft Access database named shopping400.mdb or shopping300.mdb that is readable by remote users. The contents of the database, which includes customer and credit card details, is not encrypted by default.

A remote user can, without any authentication, invoke the VP-ASP diagnostic tool 'shopdbtest.asp' to determine where the database file is located, even if the location has changed. If the database file is still in its default configuration or is still under the web root directory, the remote user can download the file without authentication.

BeyondSecurity (SecuriTeam) added that the software is also vulnerable to SQL injection attacks that allow a remote user to access an administrative page without knowing the administrator's username or password. The following strings can reportedly be used to gain administrative access:

Username: 'or''='
(i.e., enter just: 'or''=' )

Password: 'or''='
(i.e., enter just: 'or''=' )

Impact:   A remote user may be able to download the master database if it is still in its default configuration location. The database includes credit card details that are, by default, not encrypted. A remote user may also be able to gain access to administrative pages.
Solution:   No solution was available at the time of this entry.

The vendor has reportedly confirmed the default configuration vulnerabilities and indicates that the Developer's guide and Installation guide and the FAQ on the vendor's web site address those issues.

The vendor has not confirmed the SQL injection vulnerability. [Editor's note: It is not likely that any configuration changes could correct the SQL injection flaw -- a vendor fix should be necessary.]

Vendor URL:  www.vpasp.com/ (Links to External Site)
Cause:   Configuration error, error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
May 27 2002 Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users



 Source Message Contents

Subject:  Re: VP-ASP shopping cart software.


Hi,

A small thing the original advisory author has not mentioned is that SQL
injection is also possible allowing you to enter the administrative page
with actually knowing the used administrator username and password, example:
Username: 'or''='
( i.e. enter just: 'or''=' )
Password: 'or''='
( i.e. enter just: 'or''=' )

Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

----- Original Message -----
From: "hkvrg thdftghr" <alias404@hotmail.com>
To: <bugtraq@securityfocus.com>
Sent: Monday, May 27, 2002 10:54
Subject: VP-ASP shopping cart software.


>
>
> NOTE: Please Just ignore the tags, there just notes ect. to make a .txt
> document a little more readable, or not.
>
> <short>
> Several  security issues in the VP-ASP shopping cart software
>
> <dot>Path Information Disclosure Vulnerability.
> <dot>Insecure perrmissions on configuration file.
>
> </short>
>
> <synopsis>
>
> -Default passwords that allow 'admin' access in the VP-ASP script
>
> - A remote vulnerability in VP-ASP shopping cart software that can
disclose
> the location of the database/configuration data to an unprivilaged user,
and
> will allow a user to change the location of the database.
>
> -Allow by defult, accessibilty of the database/configuration file to any
> user remotly.
> </synopsis>
>
>
> -- Multiple Vulnerabilities in VP-ASP software --
>
> ()()()()()()()()()()()()()()()()()()()()()()()()()()()()
> VP-ASP
> ()()()()()()()()()()()()()()()()()()()()()()()()()()()()
>
> [ Kowchews security advisory]
> <MD5>A71EB48778DD7953256EAAF8F02F0AD1</MD5>
>
> Description:
> ( http://www.vpasp.com )
> There are several problems in the "vp-asp" shopping cart software. These
are
> a result of default installations.
>
> This may allow:
> An attacker to locate the database/configuration.
> An attacker to change the location of the databse/configuration file.
> An attacker to download the database/configuration file.
> An attacker to log in as the administrator of the VP-ASP software.
>
>
>
> Introduction:
> ( according to the VP-ASP website )
> ----------------------------------
> Installation - VP-ASP installs in minutes and never modifies your computer
> in any way.
>
> Customization - Using your browser, you will be able to configure over 240
> different features of VP-ASP. For quick shops, simply configure four items
> such as your e-mail details via the browser, add your products via the
> browser and your shop is up and running. Full online help is available.
>
> ----------------------
> VP-ASP
>
> can run on:
> Windows 95/98/ME there is Personal Web Server.
> Windows NT/2000/XP Professional there is IIS.
> Windows XP Home. Sorry but Microsoft left you out.
> and, VP-ASP Unix version will run under Chili!Soft ASP
> (www.chillisoft.com).
> --------------------
>
>
> Details:
>
> Vunerable: Probably all versions to date which have not been hardened
after
> being installed.
>
> <dot> By default the login/passwords are vpasp/vpasp or admin/admin , many
> web sites do not have these changes, thus in some places anyone can login
> from the [ pretty ] web interface
>
> http:/ / [ host ] / [ vpasp dir ] /shopadmin.asp
>
>
> <dot> By default the Microsoft access configuration and storage file is
> named shopping400.mdb/shopping300.mdb, and is readable from the internet,
a
> bad thing considering that it contains most, if not all of the
configuration
> data including person details and credit card details which are by
default,
> unencripted/protected.
>
> [ It may contain more infomation but I've only ever read it with a hex
> editor =(   ]
>
> <dot>Included in VP-ASP is a diagnostic tool [ shopdbtest.asp ], which is
so
> kind as to give anyone who wants it the location to the database file [
> given as xDatabase in the page ] even if the location has been changed.
>
> NOTE:You do NOT have to be logged in as the administrator [ VP-ASP admin ]
> to download the database/config file.
>
> NOTE: The database is an microsoft [ 2000 or 97 ] access file so,  [
> xDatabase + .mdb ] appending a .mdb to the database location will the the
> files location.
> ie. http:// [vp-asp site] / [ vp-asp dir] / [ xDatabase + .mdb ]
>
> NOTE: Thankfully, not all sites are vunrible, many sensible administrators
> have stored the file outside of the webroot  =)  [ Followed the
instructions
> on the website ], but infomation is still availible as to the locality of
> the file .
>
> So, in some cases the database/config file is accessible via an internet
> browser
>
> NOTE:"shopdbtest.asp" is not the only culprit, "shopa_sessionlist.asp"
will
> disclose the same information, but its not as pretty and doesn't keep with
> the theme of the website .[ Not exactly a huge incentive to stay away but
> ..... ]
>
> There is another reason to love shopdbtest.asp, it is able to change the
> position of the database file.
>
> You would be able to anyway if the default user/pass was still there;
> remember :
>
> "Using your browser, you will be able to configure over 240 different
> features of VP-ASP."
>
> Attackers can easily search for sites [ en mass ]  running the product  [
> VP-ASP ], just buy using a search engine , like google
> [ Why would you use anything else ? ]
>
> e.g..
http://www.google.com/search?q=allinurl%3Ashopdisplaycategories%2Easp
>
> NOTE: shopdisplaycategories.asp is a main page for vp-asp, google gave me
> 1,0** sites using this software, although it should be expected some are
> just running the demo and some are sensible.
>
> Just have a look under "Advanced search" in your favorite search engine
and
> look for shopdisplaycategories.asp ONLY in the URL of the page.
>
> http://search.lycos.com/main/adv.asp
> http://www.google.com/advanced_search
>
> Another handy thing about the website is this
> page,http://www.vpasp.com/demos/vpaspsites/sitedisplay.asp, a list of
happy
> VP-ASP users.
>
>
> Fix / workaround:
> I sent and email and the nice people at VP-ASP sent one back =)
>
> <reply from support@vpasp.com>
>
> I am unsure who you are but we are well aware of all the issues raised in
> this note.
>
> Our Developer's guide and Installation guide and our faq on our web site
go
> through all these issues and more
>
>
> 1. We absolutely recommend that the database be in a directory not
viewable
> from the web to prevent hacker downloads. VP-ASP fully supports this but
> using either Windows indirect addressing or direct driver addresses or
ODBC
> connections.
>
> 2. We recommend all our diagnostic tools be taken off after the production
> site it set up. Even if the database name is known, if it "off the web:,
we
> believe disclosing the name is of no use to the hacker.
>
> 3. We certainly recommend altering the administrative userids and
passwords.
> In addition we support facilities where the actual login page can be
hidden.
> In that case the hacker could not find the login page if they know the
> password
>
> We have to weigh ease of installation for first time e-commerce customers
> and security for production sites. We believe we have accomplished this
but
> it is obviously up to each site owner to take our recommendations and act
on
> them.
>
> Howard Kadetz
> VP-ASP Support
>
> </reply from support@vpasp.com>
>
> The page seems to cover all of this, but still, many people are not
cautious
> enough, I would like to thank the developer for his speedy responce. It
> looks like very sound reasonable and quality infomation to harden your
> VP-ASP software, but .....
>
> I would like to make the point that after all he/she has said the VP-ASP
> website's online test [ http://www.vpasp.com/demo400/ ] is running the
> shopdbtest.asp
> [ http://www.vpasp.com/demo400/shopdbtest.asp]  ,
>
> when I put in a new database file
> .xDatabase   from .\..\test --> test and pressed the "test database"
button.
> You'll never guess what happened !
>
> <quote>
> Database Read Database cannot be read Verify that the database is at the
> physical location in the open message Microsoft Message
> Open Messages
> Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
> Database Write Database cannot be written Verify that the database is in a
> folder that has both read and write access Microsoft Message
> Open Messages
> Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
> Database Permissions Database Permissions are not correct Read the FAQ on
> our web site regarding permission for the anonymous user IUSR
> </quote>
>
> Maybe someone should read the security FAQ->
> www.vpasp.com/virtprog/info/faq_security.htm ?
>
>
> Remeber connections may need passwords, which may well be specified in the
> shopdbtest.asp file.
>
> It might not hurt to give a list of files to be removed.
>
>
> <id>Kowchew.</id>
>
>
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC