DCShop vulnerability We have seen several Web shops using your DCShop product as E-commerce system, where it is possble for unauthorized persons via a Web browser to retrieve customer creditcard numbers in cleartext. Athough the developers on their Web site recommends not to use the beta product for commercial use, we have found sites already using it commercially. The issue does not show up on properly configured servers, i.e. where the "Everyone"-group has "Full Access" to the CGI-BIN or sub-folders, more info below. The requests are made of the following URL: http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt This will triger the Web host to send a text file with all recent orders, including the end-users name, shipping and billing-address, e-mail address AND CREDIT CARD NUMBERS with exp-dates. It is also in some cases possible to find the administrator name and password in another text file from an URL: http://theTargetHost/cgi- bin/DCShop/Auth_data/auth_user_file.txt We have reported this issue to the developer, DCscripts.com, who within hours posted a security issue bulletin on their web site to clarify the recommendations for their software: http://www.dcscripts.com/dcforum/dcshop/44.html Peter Helms Ernst & Young, Denmark peter.helmsat_private
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 17:24:34 PDT