MindSpring site exposes password files

[William Knowles <wk () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO52714,00.html

By ANN HARRISON
October 23, 2000

An unpatched, buggy version of open-source e-commerce software,
combined with a misconfigured hosting server, exposed password files
earlier this month for approximately 100 domains hosted by
Atlanta-based EarthLink Inc.

The chain of events included the discovery of a 2-year-old security
flaw and the exposure of password lists for all customers on two
MindSpring Enterprises Inc. servers. The situation illustrates some of
the potential perils of failing to register e-commerce software with
vendors that issue security and other upgrade advisories.

A Web search by an affected customer has uncovered potentially
thousands of e-commerce sites that haven't applied the patch.

The problem started two years ago, when Web Store software created by
Singapore-based Extropia.com was upgraded to fix a security flaw and
users were sent an advisory with a patch.

Three years earlier, A Dog Owner's Network had a custom implementation
of the open-source software installed. But the Lake Arrowhead,
Calif.-based e-commerce site never registered with Extropia to receive
the patch.

A student reportedly discovered that the dog owner's site
(www.adognet.com) was vulnerable and told Atlanta-based MindSpring on
Oct. 10. That led to the discovery that a misconfiguration on the
site's MindSpring hosting service, owned by EarthLink, allowed
attackers to view the password lists of other sites hosted on the same
servers.

Cris Alarcon, an information technology administrator at aDogNet.com,
said his staff created their own patch for the 7-year-old software as
soon as they learned of the bug. Alarcon said he later conducted a Web
search for other companies that used Web Store and turned up 2,500
users, half of whom appear not to have downloaded the patch.

"It's natural to open source that you are going to get a broad
distribution of the program, but there are many unregistered versions
that are not privy to updates," said Alarcon. "Since many of these
companies have smaller sites, they are less likely to have a technical
department that keeps up on data security issues."

Alarcon said that his company doesn't keep any sensitive customer data
or credit-card numbers on the hosted server, and that only low-level
passwords were exposed.

According to Alarcon, the most disturbing part of the incident was
that any hosted site on MindSpring would theoretically read about the
vulnerability, download the flawed software and get passwords from
other sites.

Dave Flammia, director of Web-hosting support at EarthLink,
acknowledged that other sites hosted on the same servers as
aDogNet.com did have their password files exposed. "They could cut and
paste it from the Web," he said.

But Flammia said he had no knowledge of MindSpring being alerted to
the problem prior to Oct. 17. He added that that MindSpring changed
its server configurations on the evening of Oct. 18 to make sure that
password files weren't exposed.

Flammia said the vulnerability affected Sun Solaris servers that
hosted only "a handful" of customers - perhaps fewer than 100. He said
MindSpring had contacted affected customers and asked them to change
passwords.

"We asked them to change them to something harder to crack, so that a
simple dictionary program couldn't crack it," Flammia said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".