Hi, A small thing the original advisory author has not mentioned is that SQL injection is also possible allowing you to enter the administrative page with actually knowing the used administrator username and password, example: Username: 'or''=' ( i.e. enter just: 'or''=' ) Password: 'or''=' ( i.e. enter just: 'or''=' ) Thanks Noam Rathaus http://www.BeyondSecurity.com http://www.SecuriTeam.com ----- Original Message ----- From: "hkvrg thdftghr" <alias404at_private> To: <bugtraqat_private> Sent: Monday, May 27, 2002 10:54 Subject: VP-ASP shopping cart software. > > > NOTE: Please Just ignore the tags, there just notes ect. to make a .txt > document a little more readable, or not. > > <short> > Several security issues in the VP-ASP shopping cart software > > <dot>Path Information Disclosure Vulnerability. > <dot>Insecure perrmissions on configuration file. > > </short> > > <synopsis> > > -Default passwords that allow 'admin' access in the VP-ASP script > > - A remote vulnerability in VP-ASP shopping cart software that can disclose > the location of the database/configuration data to an unprivilaged user, and > will allow a user to change the location of the database. > > -Allow by defult, accessibilty of the database/configuration file to any > user remotly. > </synopsis> > > > -- Multiple Vulnerabilities in VP-ASP software -- > > ()()()()()()()()()()()()()()()()()()()()()()()()()()()() > VP-ASP > ()()()()()()()()()()()()()()()()()()()()()()()()()()()() > > [ Kowchews security advisory] > <MD5>A71EB48778DD7953256EAAF8F02F0AD1</MD5> > > Description: > ( http://www.vpasp.com ) > There are several problems in the "vp-asp" shopping cart software. These are > a result of default installations. > > This may allow: > An attacker to locate the database/configuration. > An attacker to change the location of the databse/configuration file. > An attacker to download the database/configuration file. > An attacker to log in as the administrator of the VP-ASP software. > > > > Introduction: > ( according to the VP-ASP website ) > ---------------------------------- > Installation - VP-ASP installs in minutes and never modifies your computer > in any way. > > Customization - Using your browser, you will be able to configure over 240 > different features of VP-ASP. For quick shops, simply configure four items > such as your e-mail details via the browser, add your products via the > browser and your shop is up and running. Full online help is available. > > ---------------------- > VP-ASP > > can run on: > Windows 95/98/ME there is Personal Web Server. > Windows NT/2000/XP Professional there is IIS. > Windows XP Home. Sorry but Microsoft left you out. > and, VP-ASP Unix version will run under Chili!Soft ASP > (www.chillisoft.com). > -------------------- > > > Details: > > Vunerable: Probably all versions to date which have not been hardened after > being installed. > > <dot> By default the login/passwords are vpasp/vpasp or admin/admin , many > web sites do not have these changes, thus in some places anyone can login > from the [ pretty ] web interface > > http:/ / [ host ] / [ vpasp dir ] /shopadmin.asp > > > <dot> By default the Microsoft access configuration and storage file is > named shopping400.mdb/shopping300.mdb, and is readable from the internet, a > bad thing considering that it contains most, if not all of the configuration > data including person details and credit card details which are by default, > unencripted/protected. > > [ It may contain more infomation but I've only ever read it with a hex > editor =( ] > > <dot>Included in VP-ASP is a diagnostic tool [ shopdbtest.asp ], which is so > kind as to give anyone who wants it the location to the database file [ > given as xDatabase in the page ] even if the location has been changed. > > NOTE:You do NOT have to be logged in as the administrator [ VP-ASP admin ] > to download the database/config file. > > NOTE: The database is an microsoft [ 2000 or 97 ] access file so, [ > xDatabase + .mdb ] appending a .mdb to the database location will the the > files location. > ie. http:// [vp-asp site] / [ vp-asp dir] / [ xDatabase + .mdb ] > > NOTE: Thankfully, not all sites are vunrible, many sensible administrators > have stored the file outside of the webroot =) [ Followed the instructions > on the website ], but infomation is still availible as to the locality of > the file . > > So, in some cases the database/config file is accessible via an internet > browser > > NOTE:"shopdbtest.asp" is not the only culprit, "shopa_sessionlist.asp" will > disclose the same information, but its not as pretty and doesn't keep with > the theme of the website .[ Not exactly a huge incentive to stay away but > ..... ] > > There is another reason to love shopdbtest.asp, it is able to change the > position of the database file. > > You would be able to anyway if the default user/pass was still there; > remember : > > "Using your browser, you will be able to configure over 240 different > features of VP-ASP." > > Attackers can easily search for sites [ en mass ] running the product [ > VP-ASP ], just buy using a search engine , like google > [ Why would you use anything else ? ] > > e.g.. http://www.google.com/search?q=allinurl%3Ashopdisplaycategories%2Easp > > NOTE: shopdisplaycategories.asp is a main page for vp-asp, google gave me > 1,0** sites using this software, although it should be expected some are > just running the demo and some are sensible. > > Just have a look under "Advanced search" in your favorite search engine and > look for shopdisplaycategories.asp ONLY in the URL of the page. > > http://search.lycos.com/main/adv.asp > http://www.google.com/advanced_search > > Another handy thing about the website is this > page,http://www.vpasp.com/demos/vpaspsites/sitedisplay.asp, a list of happy > VP-ASP users. > > > Fix / workaround: > I sent and email and the nice people at VP-ASP sent one back =) > > <reply from supportat_private> > > I am unsure who you are but we are well aware of all the issues raised in > this note. > > Our Developer's guide and Installation guide and our faq on our web site go > through all these issues and more > > > 1. We absolutely recommend that the database be in a directory not viewable > from the web to prevent hacker downloads. VP-ASP fully supports this but > using either Windows indirect addressing or direct driver addresses or ODBC > connections. > > 2. We recommend all our diagnostic tools be taken off after the production > site it set up. Even if the database name is known, if it "off the web:, we > believe disclosing the name is of no use to the hacker. > > 3. We certainly recommend altering the administrative userids and passwords. > In addition we support facilities where the actual login page can be hidden. > In that case the hacker could not find the login page if they know the > password > > We have to weigh ease of installation for first time e-commerce customers > and security for production sites. We believe we have accomplished this but > it is obviously up to each site owner to take our recommendations and act on > them. > > Howard Kadetz > VP-ASP Support > > </reply from supportat_private> > > The page seems to cover all of this, but still, many people are not cautious > enough, I would like to thank the developer for his speedy responce. It > looks like very sound reasonable and quality infomation to harden your > VP-ASP software, but ..... > > I would like to make the point that after all he/she has said the VP-ASP > website's online test [ http://www.vpasp.com/demo400/ ] is running the > shopdbtest.asp > [ http://www.vpasp.com/demo400/shopdbtest.asp] , > > when I put in a new database file > .xDatabase from .\..\test --> test and pressed the "test database" button. > You'll never guess what happened ! > > <quote> > Database Read Database cannot be read Verify that the database is at the > physical location in the open message Microsoft Message > Open Messages > Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'. > Database Write Database cannot be written Verify that the database is in a > folder that has both read and write access Microsoft Message > Open Messages > Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'. > Database Permissions Database Permissions are not correct Read the FAQ on > our web site regarding permission for the anonymous user IUSR > </quote> > > Maybe someone should read the security FAQ-> > www.vpasp.com/virtprog/info/faq_security.htm ? > > > Remeber connections may need passwords, which may well be specified in the > shopdbtest.asp file. > > It might not hurt to give a list of files to be removed. > > > <id>Kowchew.</id> > > > _________________________________________________________________ > Join the world's largest e-mail service with MSN Hotmail. > http://www.hotmail.com > >
This archive was generated by hypermail 2b30 : Mon May 27 2002 - 11:56:53 PDT