Bugtraq mailing list archives

Re: Back Door in Commercial Shopping Cart

From: kragen () POBOX COM (Kragen Sitaker)
Date: Fri, 14 Apr 2000 16:35:59 -0400


This is for the benefit of journalists and others who are unable to
read Perl.

The recent email posted by Luciano Ramos, which he claimed to be from
"people at dansie", makes several assertions that are directly contradicted by
the information in the original BUGTRAQ post.  There are three
possibilities:
1- the message is not from "people at dansie";
2- the people at dansie are ignorant of what their software does or are
   lying through their teeth;
3- the code contained in the original message is not found in the
   actual Dansie shopping cart, and was made up by the original
   poster, or the original poster's assertions about data flow into the
   system() statement.

Possibility #3 could be verified by any of Dansie's customers; not only
have none of them posted contradictions of the original message to
BUGTRAQ, but the "people at dansie" did not assert that the code was
inaccurate.

I am not one of Dansie's customers, so I have no direct evidence about
possibility #3.  I would like to hear from Dansie's customers if they
can confirm or deny the original post.

I'd like to see confirmation or denial of possibility #1 directly from
Dansie.

Possibilities #1 and #2 should certainly lead to criminal prosecution
of the author of the software.  This appears to be one of the most
blatant and wide-ranging acts of computer crime in history, surpassed
only by the 1988 Internet Worm and Microsoft's recent "Netscape
engineers are weenies!" backdoor.

Even if the assertions made in the "people at dansie" email were the
whole truth, it would mean that Dansie had built a remote-disabling
feature into his software.

Below are my responses to particular points in the "people at dansie"
email.

Luciano Ramos writes:

This is what people at dansie said:

. . .

The software has a copyright protection feature that poses no security risk
to
your website or your web server. It's designed to prevent software piracy
and
prevent pirates from running unlicensed copies.

. . .

The code that was posted does not restrict copying; it violates
security by sending unauthorized email out and by allowing arbitrary
remote users to execute arbitrary commands on the web server, as long
as they knew the secret keyword.  These remote users could include:
- Craig Dansie himself;
- anyone who broke into his machine and made a copy of the shopping
  cart you are using;
- anyone who has read access to the shopping cart software on your web
  server; if you are on a web host shared with other customers, this
  usually means any other customer of your web host;
- anyone else who has a copy of the same shopping cart software you are
  using (presumably including all of Dansie's customers).

However, while there may be code in the script to prevent so-called
"pirates" from running unlicensed copies, that code was not the code
that was posted.

Basically, it allows Craig to prevent theifs from stealing his script.  I
have known about it for awhile.

. . .

The "main" reason this guy is ticked off is because he "violated" the
copyright of Craig Dansie and hacked the script.

. . .

Making modifications to a piece of software is analogous to writing in
the margins of a book, which is not a violation of copyright law in the
US --- or, as far as I know, any other country.  Xeroxing the book, of
course, can be, whether or not it has marginal notes you've made.

I think I'd be pretty ticked off if I discovered some software I was
using had a secret backdoor in it that allowed anyone in the world to
delete all my files, put up web pages about how I beat my wife on my
web site, steal my customers' credit card numbers, and send threatening
email to the President from my web server.  All of these are easily
within the capability of the backdoor that was posted to BUGTRAQ a few
days ago with allegations that it was included in Dansie's shopping
cart.

I'd be ticked off even if my copy of the software was legitimate.  In
fact, I'd probably be a lot more ticked off if I paid somebody to give
me useful software and they used that opportunity to embed a secret
backdoor into my server.

I don't have any reason to believe that the original poster had
modified Dansie's script and had his web server attacked by Dansie as a
vicious form of retaliation, as the "people from dansie" email claims,
but I also do not have any reason to believe that this assertion is
false.  If it is false, I think the original poster has good grounds
for a defamation lawsuit.

One thing this article does not cover is the fact that Craig "does" rotate
the codes for the cart.  On about a weekly schedule.  However, since this
guy has made public this information, ( yes I recieved two copies of this
email as well )...  it might behoove you to request an upgrade to any single
user cart.

. . .

This is difficult to interpret; it appears to mean that the secret
keyword that Dansie can use to unlock his backdoor and gain
unauthorized access to your web server is changed every week, so that
all the copies of the shopping cart script that go out in a given week
use the same secret keyword.

This is more or less irrelevant, I think.

There is "no" processes Craig can run on the server as this email suggest.
Yes, he can wipe the vars.dat to protect his copyright and prevent the cart
from working, but the only people that need to worry are "theifs" anyway.
The cart "cannot" retrieve cc information or any other information that
could cause a security risk.

. . .

If the code that was posted is the real code, and if the backdoor
element is indeed "immune to data validation" --- and probably even if
Dansie tried to validate it, given the quality of the bits of code that
were posted and referenced in another BUGTRAQ post --- then this
statement is erroneous.  Not only could a person who knew the secret
keyword wipe your "vars.dat" --- something not mentioned by the posted
code --- they could also wipe your whole website, or insert a second
backdoor to send all of your customers' credit card numbers to them.

James

Stormer Hosting
http://stormerhosting.com
stormer () stormerhosting com


Stormer Hosting appears to be the web host for dansie.net.

Regards,

Craig Dansie
Dansie Shopping Cart
http://www.dansie.net
FAQ: http://www.dansie.net/cgi-bin/faq.pl


Does this mean that this email actually originated from Craig Dansie?
The rest of it seems inconsistent with that.

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
The Internet stock bubble didn't burst on 1999-11-08.  Hurrah!
<URL:http://www.pobox.com/~kragen/bubble.html>
The power didn't go out on 2000-01-01 either.  :)

Current thread:

Adtran DoS, (continued)
- - - Adtran DoS Mike Ireton (Apr 19)
    - FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs FreeBSD Security Officer (Apr 19)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Warner Losh (Apr 17)
    - pwdump2 for Active Directory Todd Sabin (Apr 18)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Henrik Nordstrom (Apr 18)
    - Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
    - Re: Cooments on the dvwssr.dll vulnerability threads David LeBlanc (Apr 18)
    - Last call for extended abstracts - Raid 2000 - Deadline is April 30th Herve Debar (Apr 18)
    - Re: response to the bugtraq report of buffer overruns in imapd LIST command Kris Kennaway (Apr 17)
  - Re: more problems with that POS dansie cart software! Pete Holsberg (Apr 16)
- Re: Back Door in Commercial Shopping Cart Kragen Sitaker (Apr 14)
- Re: Back Door in Commercial Shopping Cart tyson (Apr 14)