SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   VP-ASP Vendors:   Virtual Programming
(Vendor Issues Fix) Re: Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users
SecurityTracker Alert ID:  1004500
SecurityTracker URL:  http://securitytracker.com/id/1004500
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 10 2002
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A configuration vulnerability was reported in the VP-ASP shopping cart. A remote user may be able to download the master database, which may include unencrypted credit card details. A remote user may also be able to use default passwords to take full control of the application.

It is reported that the default configuration of the shopping cart software is not secure.

According to the report, many users of the software do not change the default login usernames and passwords ('vpasp/vpasp' or 'admin/admin'). This allows remote users to login and take control of the commerce site using the following type of URL:

http://[host]/[vpasp dir]/shopadmin.asp

On many systems, the default configuration and storage file is a Microsoft Access database named shopping400.mdb or shopping300.mdb that is readable by remote users. The contents of the database, which includes customer and credit card details, is not encrypted by default.

A remote user can, without any authentication, invoke the VP-ASP diagnostic tool 'shopdbtest.asp' to determine where the database file is located, even if the location has changed. If the database file is still in its default configuration or is still under the web root directory, the remote user can download the file without authentication

Impact:   A remote user may be able to download the master database if it is still in its default configuration location. The database includes credit card details that are, by default, not encrypted. A remote user may also be able to use default user account names and passwords to take full control of the application.
Solution:   The vendor has issued a fix. For more information, see the vendor's security information page at:

http://www.vpasp.com/virtprog/info/faq_security.htm

The vendor has also issued a security supplement for customers:

http://www.vpasp.com/sales400/addons400.asp

Vendor URL:  www.vpasp.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
May 27 2002 Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users



 Source Message Contents

Subject:  Re: VP-ASP shopping cart software.


A number of issues have been raised regarding VP-ASP Shopping Cart
(www.vpasp.com) security.

I believe we have addressed all these issues but because it is of great
concern we have taken the following steps:

1. We have updated our security information page
www.vpasp.com/virtprog/info/faq_security.htm

2. We have created a security supplement that our customers can download but
hackers cannot unless they are also customers with more details on certain
aspects of security that we do not want to publicly post.
www.vpasp.com/sales400/addons400.asp

3. We have placed security links on our home page www.vpasp.com  to make the
information more readily found.

4. We have updated our distribution files to include all known security
"holes".

I welcome additional feedback on any issues raised by yourself or in any
forum.

Howard Kadetz
VP-ASP


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC