VP-ASP shopping cart software.

["hkvrg thdftghr" <alias404 () hotmail com>]

NOTE: Please Just ignore the tags, there just notes ect. to make a .txt 
document a little more readable, or not.

<short>
        Several  security issues in the VP-ASP shopping cart software

<dot>Path Information Disclosure Vulnerability.
<dot>Insecure perrmissions on configuration file.

</short>

<synopsis>

-Default passwords that allow ‘admin’ access in the VP-ASP script

- A remote vulnerability in VP-ASP shopping cart software that can disclose 
the location of the database/configuration data to an unprivilaged user, and 
will allow a user to change the location of the database.

-Allow by defult, accessibilty of the database/configuration file to any 
user remotly.
</synopsis>


-- Multiple Vulnerabilities in VP-ASP software --

()()()()()()()()()()()()()()()()()()()()()()()()()()()()
                VP-ASP
()()()()()()()()()()()()()()()()()()()()()()()()()()()()

[ Kowchews security advisory]
<MD5>A71EB48778DD7953256EAAF8F02F0AD1</MD5>

Description:
( http://www.vpasp.com )
There are several problems in the "vp-asp" shopping cart software. These are 
a result of default installations.

This may allow:
An attacker to locate the database/configuration.
An attacker to change the location of the databse/configuration file.
An attacker to download the database/configuration file.
An attacker to log in as the administrator of the VP-ASP software.



Introduction:
( according to the VP-ASP website )
----------------------------------
Installation - VP-ASP installs in minutes and never modifies your computer 
in any way.

Customization - Using your browser, you will be able to configure over 240 
different features of VP-ASP. For quick shops, simply configure four items 
such as your e-mail details via the browser, add your products via the 
browser and your shop is up and running. Full online help is available.

----------------------
VP-ASP

can run on:
Windows 95/98/ME there is Personal Web Server.
Windows NT/2000/XP Professional there is IIS.
Windows XP Home. Sorry but Microsoft left you out.
and, VP-ASP Unix version will run under Chili!Soft ASP  
(www.chillisoft.com).
--------------------


Details:

Vunerable: Probably all versions to date which have not been hardened after 
being installed.

<dot> By default the login/passwords are vpasp/vpasp or admin/admin , many 
web sites do not have these changes, thus in some places anyone can login 
from the [ pretty ] web interface

http:/ / [ host ] / [ vpasp dir ] /shopadmin.asp


<dot> By default the Microsoft access configuration and storage file is 
named shopping400.mdb/shopping300.mdb, and is readable from the internet, a 
bad thing considering that it contains most, if not all of the configuration 
data including person details and credit card details which are by default, 
unencripted/protected.

[ It may contain more infomation but I’ve only ever read it with a hex 
editor =(   ]

<dot>Included in VP-ASP is a diagnostic tool [ shopdbtest.asp ], which is so 
kind as to give anyone who wants it the location to the database file [ 
given as xDatabase in the page ] even if the location has been changed.

NOTE:You do NOT have to be logged in as the administrator [ VP-ASP admin ] 
to download the database/config file.

NOTE: The database is an microsoft [ 2000 or 97 ] access file so,  [ 
xDatabase + .mdb ] appending a .mdb to the database location will the the 
files location.
ie. http:// [vp-asp site] / [ vp-asp dir] / [ xDatabase + .mdb ]

NOTE: Thankfully, not all sites are vunrible, many sensible administrators 
have stored the file outside of the webroot  =)  [ Followed the instructions 
on the website ], but infomation is still availible as to the locality of 
the file .

So, in some cases the database/config file is accessible via an internet 
browser

NOTE:“shopdbtest.asp” is not the only culprit, “shopa_sessionlist.asp” will 
disclose the same information, but its not as pretty and doesn't keep with 
the theme of the website .[ Not exactly a huge incentive to stay away but 
..... ]

There is another reason to love shopdbtest.asp, it is able to change the 
position of the database file.

You would be able to anyway if the default user/pass was still there; 
remember :

"Using your browser, you will be able to configure over 240 different 
features of VP-ASP."

Attackers can easily search for sites [ en mass ]  running the product  [ 
VP-ASP ], just buy using a search engine , like google
[ Why would you use anything else ? ]

e.g.. http://www.google.com/search?q=allinurl%3Ashopdisplaycategories%2Easp

NOTE: shopdisplaycategories.asp is a main page for vp-asp, google gave me 
1,0** sites using this software, although it should be expected some are 
just running the demo and some are sensible.

Just have a look under "Advanced search" in your favorite search engine and 
look for shopdisplaycategories.asp ONLY in the URL of the page.

http://search.lycos.com/main/adv.asp
http://www.google.com/advanced_search

Another handy thing about the website is this 
page,http://www.vpasp.com/demos/vpaspsites/sitedisplay.asp, a list of happy 
VP-ASP users.


Fix / workaround:
I sent and email and the nice people at VP-ASP sent one back =)

<reply from support () vpasp com>

I am unsure who you are but we are well aware of all the issues raised in
this note.

Our Developer's guide and Installation guide and our faq on our web site go
through all these issues and more


1. We absolutely recommend that the database be in a directory not viewable
from the web to prevent hacker downloads. VP-ASP fully supports this but
using either Windows indirect addressing or direct driver addresses or ODBC
connections.

2. We recommend all our diagnostic tools be taken off after the production
site it set up. Even if the database name is known, if it "off the web:, we
believe disclosing the name is of no use to the hacker.

3. We certainly recommend altering the administrative userids and passwords.
In addition we support facilities where the actual login page can be hidden.
In that case the hacker could not find the login page if they know the
password

We have to weigh ease of installation for first time e-commerce customers
and security for production sites. We believe we have accomplished this but
it is obviously up to each site owner to take our recommendations and act on
them.

Howard Kadetz
VP-ASP Support

</reply from support () vpasp com>

The page seems to cover all of this, but still, many people are not cautious 
enough, I would like to thank the developer for his speedy responce. It 
looks like very sound reasonable and quality infomation to harden your 
VP-ASP software, but .....

I would like to make the point that after all he/she has said the VP-ASP 
website's online test [ http://www.vpasp.com/demo400/ ] is running the 
shopdbtest.asp
[ http://www.vpasp.com/demo400/shopdbtest.asp]  ,

when I put in a new database file
.xDatabase   from .\..\test --> test and pressed the "test database" button.
You'll never guess what happened !

<quote>
Database Read Database cannot be read Verify that the database is at the 
physical location in the open message Microsoft Message
Open Messages
Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
Database Write Database cannot be written Verify that the database is in a 
folder that has both read and write access Microsoft Message
Open Messages
Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
Database Permissions Database Permissions are not correct Read the FAQ on 
our web site regarding permission for the anonymous user IUSR
</quote>

Maybe someone should read the security FAQ-> 
www.vpasp.com/virtprog/info/faq_security.htm ?


Remeber connections may need passwords, which may well be specified in the 
shopdbtest.asp file.

It might not hurt to give a list of files to be removed.


<id>Kowchew.</id>


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com