Re: DCShop vulnerability

From: David Choi (dcscriptsat_private)
Date: Mon Jun 18 2001 - 20:35:19 PDT

Next message: Henrik Nordstrom: "Re: The Dangers of Allowing Users to Post Images"

Previous message: Marc Maiffret: "All versions of Microsoft Internet Information Services, Remote buffer overflow (SYSTEM Level Access)"
In reply to: Peter Helms: "DCShop vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is not really a vulnerability.  It is more a
server setup problem.

Normally, you should not be able to browse files in
/cgi-bin directory; you should only be able to execute
scripts and display the page resulting from them. 
BUT, we do live in an imperfect world and some server
DO allow viewing of files in /cgi-bin directory and so
IT IS a problem, nonetheless.  To eliminate this
problem, please see

http://www.dcscripts.com/dcforum/dcshop/44.html

Thanks.

David S. Choi
DCScripts.com


--- Peter Helms <peter.helmsat_private> wrote:
> DCShop vulnerability
> 
> We have seen several Web shops using your 
> DCShop product as E-commerce system, where it is 
> possble for unauthorized persons via a Web browser 
> to retrieve customer creditcard numbers in
> cleartext. 
> Athough the developers on their Web site 
> recommends not to use the beta product for 
> commercial use, we have found sites already using it
> 
> commercially.
> 
> The issue does not show up on properly configured 
> servers, i.e. where the "Everyone"-group has "Full 
> Access" to the CGI-BIN or sub-folders, more info 
> below.
> 
> 
> The requests are made of the following URL:
>
http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt
> This will triger the Web host to send a text file
> with all 
> recent orders, including the end-users name, 
> shipping and billing-address, e-mail address AND 
> CREDIT CARD NUMBERS with exp-dates.
> 
> 
> It is also in some cases possible to find the 
> administrator name and password in another text file
> 
> from an URL:
> http://theTargetHost/cgi-
> bin/DCShop/Auth_data/auth_user_file.txt
> 
> We have reported this issue to the developer, 
> DCscripts.com, who within hours posted a security 
> issue bulletin on their web site to clarify the 
> recommendations for their software:
> http://www.dcscripts.com/dcforum/dcshop/44.html
> 
> 
> 
> Peter Helms
> Ernst & Young, Denmark
> peter.helmsat_private


__________________________________________________
Do You Yahoo!?
Spot the hottest trends in music, movies, and more.
http://buzz.yahoo.com/

Next message: Henrik Nordstrom: "Re: The Dangers of Allowing Users to Post Images"
Previous message: Marc Maiffret: "All versions of Microsoft Internet Information Services, Remote buffer overflow (SYSTEM Level Access)"
In reply to: Peter Helms: "DCShop vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 22:19:12 PDT