Bugtraq mailing list archives

Re: Shopping Carts exposing CC data

From: joe () GONZO BLARG NET (Joe)
Date: Tue, 20 Apr 1999 13:34:57 -0700


My apologies for the canned response, but I'm getting an email request for
specifics on this mess averaging 1 per minute - so I'll post this to the
list.

To answer many questions all at once:

    CNet has not posted the story yet. (This is a good thing) More time to
    minimize the damage...

    The larger ECommerce sites usually write their stuff in house. As such,
    places like Onsale.com, Amazon.com etc are not, to my knowledge,
    vulnerable in the least.  The ones you need to concern yourself with are
    those that purchase 3rd party shopping systems and then install them
    incorrectly.  From what I've been able to gather, it's the smaller
    mom-n-pop operations that are causing the most damage.

    If a cart is not listed here, it should not be considered vulnerable in
    the slightest. I myself have no problem doing business with Amazon,
    Onsale, SurplusAuction, UBid, Buy.com et al.  This doesn't mean you
    shouldn't check your own installs though.

    It would perhaps be prudent for ECommerce sites to reveal their
    architecure and security scheme within their privacy statements.  I for
    one would like to hear them all say "No un-encrypted data stored on
    servers - period." (This is our own policy) Hell, something as simple as
    a 1024b PGP scheme with off-net private keys would make me deliriously
    happy.

    Please don't ask me if your particular cart is "vulnerable".  Check for
    yourself, since ALL of the carts listed below CAN be secured and are
    usually only exposing data when the end user fsks up the install. Simply
    check all files that contain customer data (order.log etc..) and see if
    it's available to a web browser. You should already have the path to it,
    so plug in the url to that file, if it comes up, you got problems.

    It should be noted that these are not "bugs" in the common vernacular,
    just improperly installed/maintained carts.

    Under NO circumstances should any of the carts listed below be
    blacklisted or considered unsafe. Quite the contrary. Many of the carts
    listed below provide PGP options that would completely eliminate this
    problem.  Sadly, too few cart users are utilizing these options and
    instead are taking the path of least resistance.

Here are the six shopping carts that, when installed contrary to their
documentation or are improperly maintained can expose order information.
All of the exposed information generated by these carts was discovered
through a public search engine.

Selena Sol's WebStore 1.0  http://www.extropia.com/
    Platforms: Win32 / *Nix  (Perl5)
    Executable: web_store.cgi
    Exposed Directory: Admin_files
    Exposed Order info: Admin_files/order.log
    Status: Commercial ($300)/ Demo available.
    Number of exposed installs found: 100+
    PGP Option available?: Yes

Order Form v1.2  http://www.io.com/~rga/scripts/cgiorder.html
    Platforms: Win32 / *Nix  (Perl5)
    Executable: ?
    Exposed Directory: Varies, commonly "Orders" "order" "orders" etc..
    Exposed Order Info: order_log_v12.dat (also order_log.dat)
    Status: Shareware ($15/$25 registration fee)
    Number of exposed installs found: 15+
    PGP Option available?: Unknown.

Seaside Enterprises EZMall 2000  http://www.ezmall2000.com/
    Platforms: Win32 / *Nix  (Perl5)
    Executable: mall2000.cgi
    Exposed Directory: mall_log_files
    Exposed Order Info: order.log
    Status: Commercial ($225.00+ options)
    Number of exposed installs found: 20+
    PGP Option Available?: YES

QuikStore  http://www.quikstore.com/
    Platforms: Win32 / *Nix (Perl5)
    Executable: quikstore.cgi
    Exposed Order info: quikstore.cfg* (see note)
    Status: Commercial ($175.00+ depending on options)
    Number of exposed installs found: 3
    PGP Option Available?: Unknown.

    NOTE: This is, IMHO, one of the most dangerous of the lot, but
    thankfully, one of the lowest number of discovered exposures.  Although
    the order information itself is secured behind an htaccess name/pwd
    pair, the config file is not. The config file is world readable, and
    contains the CLEAR TEXT of the ADMINS user id and password
    - rendering the entire shopping cart vulnerable to an intruder.
    QuikStore's "password protected Online Order Retrieval System" can be
    wide open to the world.  (Armed with the name and pwd, the web visitor
    IS the administrator of the shopping cart, and can view orders, change
    settings and order information - the works.)


PDGSoft's PDG Shopping Cart 1.5  http://www.pdgsoft.com/
    Platforms: Win32 / *Nix (C/C++(?))
    Executable: shopper.cgi
    Exposed Directory: PDG_Cart/  (may differ between installs)
    Exposed Order info: PDG_Cart/order.log
    Exposed Config info: PDG_Cart/shopper.conf (see note)
    Status: Commercial ($750+ options)
    Number of exposed installs found: 1+ (They installed it on our server)
    PGP Option Available?: Unknown. (Couldn't get a yes or no outta them)

    NOTE:  if they renamed the order log, shopper.conf will tell you where
    it's at and what it was named - worse, shopper.conf exposes the clear
    text copy of Authnet_Login and Authnet_Password, which gives you full
    remote administrative access to the cart. shopper.conf, from what I can
    determine based on the company installed version we have here, is world
    readable and totally unsecured.

And now a drum roll please:

Mercantec's SoftCart http://www.mercantec.com/
    Platform: Win32 (*Nix?)
    Executable: SoftCart.exe (version unknown)
    Exposed Directory: /orders and /pw
    Exposed Order Info: Files ending in "/orders/*.olf"
    Exposed Config Info: /pw/storemgr.pw
                        (user ID and encrypted PW for store mgr?)

    Number of exposed installs: 1
    PGP Option Available?: Unknown
    NOTES:

    This one has only been found vulnerable on ONE server. (user error?) The
    encryption scheme on the storemgr.pw password is unrecognized by me but
    I'm not an encryption guru.  Someone's bound to recognize it.

    This is a scary one though - HiWay technologies is one of the largest
    domain hosts in the world, with over 120,000 domains. They are using
    SoftCart for clients that request ECommerce capabilities.

    The exposed install I found is hosted by HiWay.

    *shudder*

    Any and all opinions expressed here are solely those of the author and
    do not reflect the views, policies, practices or opinions of my employer.

Joe.

--
Joe H.                                  Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

Current thread:

Bash Bug, (continued)
- - - Bash Bug Shadow (Apr 20)
    - Re: Bash Bug Marc Lehmann (Apr 21)
    - Re: Bash Bug Pavel Kankovsky (Apr 22)
    - Re: Bash Bug Chet Ramey (Apr 22)
    - L0pht Security Advisory: Cold Fusion App Server Weld Pond (Apr 21)
    - Re: Plain text passwords--necessary Densin Roy. (Apr 19)
    - Re: Plain text passwords--necessary Daniel Alex Finkelstein (Apr 19)
    - AOL Instant Messenger URL Crash Adam Brown (Apr 19)
    - Re: AOL Instant Messenger URL Crash Daniel Reed (Apr 20)
    - Shopping Carts exposing CC data Joe (Apr 19)
    - Re: Shopping Carts exposing CC data Joe (Apr 20)
    - Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
    - Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
    - Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)
    - eBay password stealing with JavaScript Michael K. Sanders (Apr 20)
    - Re: eBay password stealing with JavaScript Paul Festa (Apr 21)
    - Bug in Linux Mount Jacek Konieczny (Apr 20)
    - Re: Bug in Linux Mount Meelis Roos (Apr 20)
- Re: Plain text passwords--necessary Steven M. Bellovin (Apr 19)
- Re: Plain text passwords--necessary Chris (Apr 19)
  - Re: Plain text passwords--necessary Tom Perrine (Apr 20)