Bugtraq mailing list archives
Xato Advisory: Multiple Cart32 Vulnerabilities
From: ".sozni" <sozni () XATO NET>
Date: Fri, 10 Nov 2000 09:00:54 -0700
---------------------------------------------------------------------------- Xato Network Security, Inc. www.xato.net Security Advisory XATO-112000-01 November 9, 2000 - MULTIPLE VULNERABILITIES WITH CART32 SHOPPING CART - ---------------------------------------------------------------------------- Systems Affected ================ Win32-based servers using Cart32 v3.5 and below. Overview ======== The Cart32 shopping cart application from McMurtrey/Whitaker & Associates, Inc. is vulnerable to a number of information leakage and other attacks. Furthermore, common user misconfigurations and bad password encryption make the application more vulnerable, possibly allowing a full compromise of the server's security. Details ======= The Cart32 shopping cart application is a Win32 executable that resides on a web server as cart32.exe and c32web.exe. There are a number of parameters that can be passed to these CGI applications that will reveal server information, namely physical paths to the web root, physical paths to the Windows directory, and physical paths to the program files directory. The following urls demonstrate this problem: http://www.example.com/cgi-bin/cart32.exe/error http://www.example.com/cgi-bin/c32web.exe/ShowAdminDir http://www.example.com/cgi-bin/c32web.exe/CheckError?error=53 Cart32 is also vulnerable to a denial of service attack that will jump the processor to 100% usage by entering the following url: http://www.example.com/cgi-bin/c32web.exe/ShowProgress Cart32 has issued an updated version 3.5a that addresses most of these issues and has an updated version available at their web site (www.cart32.com). Another problem is that many people often (as set up by their ISP or web hosting company) put the cart32.ini file in the same directory as cart32.exe and c32web.exe. If that file is in that directory and is readable, then much more information can be revealed about the server, especially if the Debug section exists in that file. Cart32.ini contains a lightly encrypted admin password and server configuration information. The Debug section can contain plaintext passwords, server environment variables, and other sensitive information. The issue of leaving the cart32.ini file has been publicly discussed in the past and Cart32 does have a KB article about this issue but it is still a very common problem as any search engine will reveal. This issue does need to be readdressed, especially considering the weakness of their encryption. On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID 195) addressing the issue of the weak encryption. They also stated that they will not be releasing the actual algorithm. Because we do not agree with the concept of security through obscurity, we have put together this snippet of VBScript code to demonstrate how a password can be unencrypted: Cart32Decode = Chr(Asc(Mid(sPass, 8)) - 12) & _ Chr(Asc(Mid(sPass, 5)) - 8) & _ Chr(Asc(Mid(sPass, 3)) - 16) & _ Chr(Asc(Mid(sPass, 15)) - 15) & _ Chr(Asc(Mid(sPass, 9)) - 9) & _ Chr(Asc(Mid(sPass, 1)) - 12) & _ Chr(Asc(Mid(sPass, 4)) - 3) & _ Chr(Asc(Mid(sPass, 11)) - 5) & _ Chr(Asc(Mid(sPass, 13)) - 11) & _ Chr(Asc(Mid(sPass, 6)) - 5) & _ Chr(Asc(Mid(sPass, 2)) - 1) & _ Chr(Asc(Mid(sPass, 2)) - 1) & _ Chr(Asc(Mid(sPass, 14)) - 13) & _ Chr(Asc(Mid(sPass, 12)) - 10) & _ Chr(Asc(Mid(sPass, 10)) - 6) & _ Chr(Asc(Mid(sPass, 7)) - 8) As mentioned in Colin Hart's advisory, version 3.5a will fix this problem. Solution ======== Cart32 was first notified of these problems on August 28, 2000. Cart32 has issued a version 3.5a release that addresses some of these issues but not all of them. If using Cart32 you should carefully read the knowledge base articles available on their web site. Commentary ========== The real problem here isn't that Cart32 has security problems, it is that programmers often are the weakest link in a network's security. Programmers want to open up doors, making it easier to use and debug their applications. Without proper security policy and training, you get problems like those addressed above as well as other problems that Cart32 has had in the past including hard-coded backdoor passwords. If a software developer does not value security, they will not take the time to protect their users. Another issue here is the encryption algorithm being used. The algorithm is based on obscurity not security and the algorithm is known to the developers of Cart32. That means that any employee there would be able to unencrypt any admin password they had access to. I would prefer a more standard encryption that could not be unencrypted by anyone, including employees of Cart32. Unfortunately, any security expert could take any one of the thousands of shopping cart applications available and find numerous holes. Many times these same applications are used by some very large companies. To make things worse, ISP's and web hosting companies are engaging in poor security practices and recommending those same practices to their customers. Until software developers take more steps to implement better security practices, this problem will continue to grow. Acknowledgements ================ Author: sozni (sozni () xato net) Thanks to: Royce, tgooat, xentury, D. Staheli, A. Shumway, M. Burnett This document is located at: http: //www.xato.net /reference /xato-112000-01.htm http: //www.xato.net /reference /xato-112000-01.txt Xato Network Security, Inc. is a Windows security consulting company that specializes in securing Windows NT4 and Windows 2000 web servers. We also provide code auditing services because secure web applications are as important as all other aspects of network security. Our programmers are well trained in security practices as well as development methodologies and can participate through all stages of the development process. For more information on our services please visit www.xato.net. ----------------------------------------------------------------------- THE INFORMATION PROVIDED IN THIS ADVISORY IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. XATO NETWORK SECURITY, INC. DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. COPYRIGHT (c) 2000 XATO NETWORK SECURITY, INC. ALL RIGHTS RESERVED. ----------------------------------------------------------------------- Keywords: Xato, Cart32, IIS, CGI, shopping cart, encryption, secure programming, physical path, server information
Current thread:
- Xato Advisory: Multiple Cart32 Vulnerabilities .sozni (Nov 11)