Bugtraq mailing list archives

Team Asylum: iHTML Merchant Vulnerabilities

From: security () TEAM-ASYLUM COM (Team Asylum)
Date: Tue, 28 Sep 1999 21:06:20 -0400


Team Asylum Security
Copyright (c) 1999 By CyberSpace 2000
http://www.team-asylum.com
Source: Dave M. (davem () cyberspace2000 com)
Advisory Date: 09/16/1999

Affected
--------
All known released versions of the iHTML Merchant for Unix/Windows 95/98/NT.

Product Description
-------------------
iHTML Merchant, written by Inline Internet Systems Inc., is an e-commerce
solution programmed in iHTML which allows complicated web programming tasks
to be done by anyone with basic knowledge of HTML and their web server of
choice.

Over 2,700 online merchants run iHTML Merchant.  In turn, they can run
dozens more stores off that single product.  For more details about
this product visit, http://www.ihtmlmerchant.com or see Inline's site at:
http://www.inline.net.

Vulnerability Summary
---------------------
Team Asylum has discovered a vulnerability that exists in iHTML Merchant
which would allow a malicious hacker to (at the very least) view the
protected files in the website's administrative section, giving the attacker
the ability to view credit card information.  If the iHTML Merchant is being
run on Windows 95/98/NT the vulnerability is much more severe.  The
vulnerability exists in how iHTML Merchant parses code.  The attacker
could:

1) Delete any file on the server
2) Write a file to any folder on the server.
3) Upload a trojan.
4) Steal credit card numbers, and other hidden information.

If the iHTML Merchant is being run on UNIX, the possibility exists that the
web site could be altered.  These findings reflect the default settings for
95/98/NT and iHTML Merchant.

Fix

---
Below is a temporary fix that can be integrated with iHTML Merchant.

<!--- http://www.team-asylum.com -->
<iEQ name="brac" value=<iSTRIN SRC=":email" DST="<">>
<iIF NOTCOND=<iSTRNICMP SRC=:brac DST="0">>
For security reasons, your message was not sent.<br>Please verify that you
entered your email address correctly, by going <a
href="javascript:history.back(1)">back</a><br>
<iinclude name="template/footer.ihtml">
<iSTOP>
</iIF>
<!--- Fix by: Dave Meehan -->

Final Notes
-----------
This vulnerability exists because of the way the iHTML Merchant was
written but is compounded by faulty NT security settings.  Team Asylum
has notified Inline Internet Systems but have received no response
whatsoever.

Current thread:

[Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Marc SPARC (Sep 23)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Tymm Twillman (Sep 26)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Solar Designer (Sep 27)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 27)
  - ufsdump problem under Solaris 2.6 with ufs.c posix (Sep 27)
    - Re: ufsdump problem under Solaris 2.6 with ufs.c Carson Gaspar (Sep 29)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sean-Paul Rees (Sep 27)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Valdis.Kletnieks () VT EDU (Sep 27)
    - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Alan Cox (Sep 28)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Mike Iglesias (Sep 28)
  - Team Asylum: iHTML Merchant Vulnerabilities Team Asylum (Sep 28)
  - Team Asylum: Yahoo! Messenger DoS Team Asylum (Sep 28)
  - Sun's TTSESSION Vulnerability Bauer, Rich (Sep 29)
    - Re: Sun's TTSESSION Vulnerability Richard L. Goerwitz (Sep 29)
  - WWWBoard Elias Levy (Sep 29)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Sep 29)
    - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 29)
    - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Sep 29)
    - Historical Bugtraq Question Alfred Huger (Sep 30)
    - Microsoft Security Bulletin (MS99-041) Aleph One (Sep 30)
    - mini-sql Buffer Overflow gregory duchemin (Sep 30)

(Thread continues...)