Bugtraq mailing list archives
Re: Back Door in Commercial Shopping Cart
From: kragen () POBOX COM (Kragen Sitaker)
Date: Fri, 14 Apr 2000 16:35:59 -0400
This is for the benefit of journalists and others who are unable to read Perl. The recent email posted by Luciano Ramos, which he claimed to be from "people at dansie", makes several assertions that are directly contradicted by the information in the original BUGTRAQ post. There are three possibilities: 1- the message is not from "people at dansie"; 2- the people at dansie are ignorant of what their software does or are lying through their teeth; 3- the code contained in the original message is not found in the actual Dansie shopping cart, and was made up by the original poster, or the original poster's assertions about data flow into the system() statement. Possibility #3 could be verified by any of Dansie's customers; not only have none of them posted contradictions of the original message to BUGTRAQ, but the "people at dansie" did not assert that the code was inaccurate. I am not one of Dansie's customers, so I have no direct evidence about possibility #3. I would like to hear from Dansie's customers if they can confirm or deny the original post. I'd like to see confirmation or denial of possibility #1 directly from Dansie. Possibilities #1 and #2 should certainly lead to criminal prosecution of the author of the software. This appears to be one of the most blatant and wide-ranging acts of computer crime in history, surpassed only by the 1988 Internet Worm and Microsoft's recent "Netscape engineers are weenies!" backdoor. Even if the assertions made in the "people at dansie" email were the whole truth, it would mean that Dansie had built a remote-disabling feature into his software. Below are my responses to particular points in the "people at dansie" email. Luciano Ramos writes:
This is what people at dansie said:
. . .
The software has a copyright protection feature that poses no security risk to your website or your web server. It's designed to prevent software piracy and prevent pirates from running unlicensed copies.
. . . The code that was posted does not restrict copying; it violates security by sending unauthorized email out and by allowing arbitrary remote users to execute arbitrary commands on the web server, as long as they knew the secret keyword. These remote users could include: - Craig Dansie himself; - anyone who broke into his machine and made a copy of the shopping cart you are using; - anyone who has read access to the shopping cart software on your web server; if you are on a web host shared with other customers, this usually means any other customer of your web host; - anyone else who has a copy of the same shopping cart software you are using (presumably including all of Dansie's customers). However, while there may be code in the script to prevent so-called "pirates" from running unlicensed copies, that code was not the code that was posted.
Basically, it allows Craig to prevent theifs from stealing his script. I have known about it for awhile.
. . .
The "main" reason this guy is ticked off is because he "violated" the copyright of Craig Dansie and hacked the script.
. . . Making modifications to a piece of software is analogous to writing in the margins of a book, which is not a violation of copyright law in the US --- or, as far as I know, any other country. Xeroxing the book, of course, can be, whether or not it has marginal notes you've made. I think I'd be pretty ticked off if I discovered some software I was using had a secret backdoor in it that allowed anyone in the world to delete all my files, put up web pages about how I beat my wife on my web site, steal my customers' credit card numbers, and send threatening email to the President from my web server. All of these are easily within the capability of the backdoor that was posted to BUGTRAQ a few days ago with allegations that it was included in Dansie's shopping cart. I'd be ticked off even if my copy of the software was legitimate. In fact, I'd probably be a lot more ticked off if I paid somebody to give me useful software and they used that opportunity to embed a secret backdoor into my server. I don't have any reason to believe that the original poster had modified Dansie's script and had his web server attacked by Dansie as a vicious form of retaliation, as the "people from dansie" email claims, but I also do not have any reason to believe that this assertion is false. If it is false, I think the original poster has good grounds for a defamation lawsuit.
One thing this article does not cover is the fact that Craig "does" rotate the codes for the cart. On about a weekly schedule. However, since this guy has made public this information, ( yes I recieved two copies of this email as well )... it might behoove you to request an upgrade to any single user cart.
. . . This is difficult to interpret; it appears to mean that the secret keyword that Dansie can use to unlock his backdoor and gain unauthorized access to your web server is changed every week, so that all the copies of the shopping cart script that go out in a given week use the same secret keyword. This is more or less irrelevant, I think.
There is "no" processes Craig can run on the server as this email suggest. Yes, he can wipe the vars.dat to protect his copyright and prevent the cart from working, but the only people that need to worry are "theifs" anyway. The cart "cannot" retrieve cc information or any other information that could cause a security risk.
. . . If the code that was posted is the real code, and if the backdoor element is indeed "immune to data validation" --- and probably even if Dansie tried to validate it, given the quality of the bits of code that were posted and referenced in another BUGTRAQ post --- then this statement is erroneous. Not only could a person who knew the secret keyword wipe your "vars.dat" --- something not mentioned by the posted code --- they could also wipe your whole website, or insert a second backdoor to send all of your customers' credit card numbers to them.
James Stormer Hosting http://stormerhosting.com stormer () stormerhosting com
Stormer Hosting appears to be the web host for dansie.net.
Regards, Craig Dansie Dansie Shopping Cart http://www.dansie.net FAQ: http://www.dansie.net/cgi-bin/faq.pl
Does this mean that this email actually originated from Craig Dansie? The rest of it seems inconsistent with that. -- <kragen () pobox com> Kragen Sitaker <http://www.pobox.com/~kragen/> The Internet stock bubble didn't burst on 1999-11-08. Hurrah! <URL:http://www.pobox.com/~kragen/bubble.html> The power didn't go out on 2000-01-01 either. :)
Current thread:
- Adtran DoS, (continued)
- Adtran DoS Mike Ireton (Apr 19)
- FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs FreeBSD Security Officer (Apr 19)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Warner Losh (Apr 17)
- pwdump2 for Active Directory Todd Sabin (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Henrik Nordstrom (Apr 18)
- Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
- Re: Cooments on the dvwssr.dll vulnerability threads David LeBlanc (Apr 18)
- Last call for extended abstracts - Raid 2000 - Deadline is April 30th Herve Debar (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Kris Kennaway (Apr 17)
- Re: more problems with that POS dansie cart software! Pete Holsberg (Apr 16)
- Re: Back Door in Commercial Shopping Cart Kragen Sitaker (Apr 14)
- Re: Back Door in Commercial Shopping Cart tyson (Apr 14)