Interspire Shopping Cart Insecure Permissions

`=========  
Product:  
Interspire Shopping Cart  
  
=========  
Problem:  
config/config.php MUST be httpd-readable (inter-domain read access  
permitted, which is a problem on shared hosting)  
  
=========  
About product:  
What is Interspire Shopping Cart?  
Interspire Shopping Cart is the most feature rich, all-in-one shopping  
cart software available. It has an enterprise-grade feature set and is  
trusted by more than 15,000 businesses in over 65 countries.  
  
=========  
Details:  
This software uses the permissions for config/config.php to determine  
the permissions for uploaded product image files. Since images have  
to be readable by the web server user, the config/config.php file must  
also be readable by the web server user. This means that for almost  
all shared hosting configurations, config/config.php is insecure -- by  
design. You can set secure permissions on config.php, but this will  
invariably cause static images to be unreadable by the web server.  
Effectively this means that wherever you find Interspire shopping  
cart, you can take over administration as another user on the same  
system.  
  
=========  
Vendor response:  
"I am aware of how hackers can read configuration files if they have  
an account on the same server. However, this is an issue for hosting  
companies, not for us. We are not mandating anything. It is just a  
fact that the large majority of hosting companies do not run suphp."  
"It does not look like we are going to agree on this. In my view, this  
is entirely a hosting related issue, one that can be "fixed" by  
modifying the config/config.php permissions."  
  
=========  
Exploit:  
Look for /home/*/public_html/config/config.php file, or make a symlink  
to it and read it via the web server. The interesting bits are ...  
$GLOBALS['ISC_CFG']["dbServer"] = 'localhost';  
$GLOBALS['ISC_CFG']["dbUser"] = 'somedatabse_user';  
$GLOBALS['ISC_CFG']["dbPass"] = 'somesecret';  
$GLOBALS['ISC_CFG']["dbDatabase"] = 'somedatabase_name';  
$GLOBALS['ISC_CFG']["tablePrefix"] = 'isc_';  
Once you have database access, application authentication data  
is in the table isc_users (md5 auth if you want to google it, or you  
can set your own password and lock the regular user out).  
  
  
=========  
Work-arounds:  
  
1. Have a chat with your hosting company and ask them not to let  
anyone else on the server you are sharing be hacked. (Recommended by  
vendor.)  
  
2. In lib/init.php, the following HACK tells the software to ignore  
the permissions on config/config.php. After this you can set the  
permissions securely without breaking the application:  
  
//define('ISC_WRITEABLE_FILE_PERM', fileperms(ISC_CONFIG_FILE));  
//define('ISC_WRITEABLE_DIR_PERM', fileperms(dirname(ISC_CONFIG_FILE)));  
define('ISC_WRITEABLE_FILE_PERM', 0644);  
define('ISC_WRITEABLE_DIR_PERM', 0755);  
  
3. Use other software (e.g. oscommerce, ha ha :)  
  
4. Unpredictable DocumentRoot will help. Chroot of other users will  
seem to help, provided symbolic links are not permitted.  
  
`