[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

[FW: Shopping Carts exposing CC data update]

To: minivend-users@minivend.com
Subject: [FW: Shopping Carts exposing CC data update]
From: Steve Cockwell <stevec@sierra.lazarus.ca>
Date: Wed, 21 Apr 1999 11:44:41 -0400
Organization: PWGSC
Reply-To: minivend-users@minivend.com
Sender: owner-minivend-users@minivend.com

******    message to minivend-users from Steve Cockwell <stevec@sierra.lazarus.ca>     ******

I promise this is the last you'll hear of this.  I'm forwarding this on
because it *might* be of interest to MV users (not because I think MV
users should worry).  At the very least you can all pat yourselves on
the back for choosing a great product like Minivend.  Or hey, you can
send me mail and tell me what a clueless newbie I am if it makes you
feel better...

But ultimately, this is just keeping abrest of the industry (this is
about shopping carts, minivend is a shopping cart...)

[bunch of stuff you've already heard deleted]

> Here are the six shopping carts that, when installed contrary to their
> documentation or are improperly maintained can expose order information.
> All of the exposed information generated by these carts was discovered
> through a public search engine.
> 
> Selena Sol's WebStore 1.0  http://www.extropia.com/
>     Platforms: Win32 / *Nix  (Perl5)
>     Executable: web_store.cgi
>     Exposed Directory: Admin_files
>     Exposed Order info: Admin_files/order.log
>     Status: Commercial ($300)/ Demo available.
>     Number of exposed installs found: 100+
>     PGP Option available?: Yes
> 
> Order Form v1.2  http://www.io.com/~rga/scripts/cgiorder.html
>     Platforms: Win32 / *Nix  (Perl5)
>     Executable: ?
>     Exposed Directory: Varies, commonly "Orders" "order" "orders" etc..
>     Exposed Order Info: order_log_v12.dat (also order_log.dat)
>     Status: Shareware ($15/$25 registration fee)
>     Number of exposed installs found: 15+
>     PGP Option available?: Unknown.
> 
> Seaside Enterprises EZMall 2000  http://www.ezmall2000.com/
>     Platforms: Win32 / *Nix  (Perl5)
>     Executable: mall2000.cgi
>     Exposed Directory: mall_log_files
>     Exposed Order Info: order.log
>     Status: Commercial ($225.00+ options)
>     Number of exposed installs found: 20+
>     PGP Option Available?: YES
> 
> QuikStore  http://www.quikstore.com/
>     Platforms: Win32 / *Nix (Perl5)
>     Executable: quikstore.cgi
>     Exposed Order info: quikstore.cfg* (see note)
>     Status: Commercial ($175.00+ depending on options)
>     Number of exposed installs found: 3
>     PGP Option Available?: Unknown.
> 
>     NOTE: This is, IMHO, one of the most dangerous of the lot, but
>     thankfully, one of the lowest number of discovered exposures.  Although
>     the order information itself is secured behind an htaccess name/pwd
>     pair, the config file is not. The config file is world readable, and
>     contains the CLEAR TEXT of the ADMINS user id and password
>     - rendering the entire shopping cart vulnerable to an intruder.
>     QuikStore's "password protected Online Order Retrieval System" can be
>     wide open to the world.  (Armed with the name and pwd, the web visitor
>     IS the administrator of the shopping cart, and can view orders, change
>     settings and order information - the works.)
> 
> PDGSoft's PDG Shopping Cart 1.5  http://www.pdgsoft.com/
>     Platforms: Win32 / *Nix (C/C++(?))
>     Executable: shopper.cgi
>     Exposed Directory: PDG_Cart/  (may differ between installs)
>     Exposed Order info: PDG_Cart/order.log
>     Exposed Config info: PDG_Cart/shopper.conf (see note)
>     Status: Commercial ($750+ options)
>     Number of exposed installs found: 1+ (They installed it on our server)
>     PGP Option Available?: Unknown. (Couldn't get a yes or no outta them)
> 
>     NOTE:  if they renamed the order log, shopper.conf will tell you where
>     it's at and what it was named - worse, shopper.conf exposes the clear
>     text copy of Authnet_Login and Authnet_Password, which gives you full
>     remote administrative access to the cart. shopper.conf, from what I can
>     determine based on the company installed version we have here, is world
>     readable and totally unsecured.
> 
> And now a drum roll please:
> 
> Mercantec's SoftCart http://www.mercantec.com/
>     Platform: Win32 (*Nix?)
>     Executable: SoftCart.exe (version unknown)
>     Exposed Directory: /orders and /pw
>     Exposed Order Info: Files ending in "/orders/*.olf"
>     Exposed Config Info: /pw/storemgr.pw
>                         (user ID and encrypted PW for store mgr?)
> 
>     Number of exposed installs: 1
>     PGP Option Available?: Unknown
>     NOTES:
> 
>     This one has only been found vulnerable on ONE server. (user error?) The
>     encryption scheme on the storemgr.pw password is unrecognized by me but
>     I'm not an encryption guru.  Someone's bound to recognize it.
> 
>     This is a scary one though - HiWay technologies is one of the largest
>     domain hosts in the world, with over 120,000 domains. They are using
>     SoftCart for clients that request ECommerce capabilities.
> 
>     The exposed install I found is hosted by HiWay.
> 
>     *shudder*
> 
>     Any and all opinions expressed here are solely those of the author and
>     do not reflect the views, policies, practices or opinions of my
> employer.
> 
> Joe.
-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

Prev by Date: Re: performance question...
Next by Date: Re: Pricing Routines to perform Unit Price conversions before used in sub/totaling
Prev by thread: Re: How to make label text of selected size appear on receipt...?
Next by thread: is this possible w/ MV?
Index(es):
- Date
- Thread