DST2K0035.txt

2000-10-05T00:00:00
ID PACKETSTORM:23252
Type packetstorm
Reporter delphisplc.com
Modified 2000-10-05T00:00:00

Description

                                        
                                            `============================================================================  
Delphis Consulting Plc  
============================================================================  
  
Security Team Advisories  
[22/09/2000]  
  
securityteam@delphisplc.com  
[http://www.delphisplc.com/thinking/whitepapers/]  
  
============================================================================  
Adv : DST2K0035  
Title : Credit card (customer) details exposed within CyberOffice  
Shopping Cart v2  
Author : DCIST (securityteam@delphisplc.com)  
O/S : Microsoft Windows NT 4 Server (SP5)  
Product : CyberOffice Shopping Cart v2  
Date : 22/09/2000  
  
I. Description  
  
II. Delphis Solution  
  
III. Vendor Comments  
  
IV. Disclaimer  
  
  
============================================================================  
  
I. Description  
============================================================================  
  
Vendor URL: http://www.smartwin.com.au/smartwin.htm  
  
Delphis Consulting Internet Security Team (DCIST) discovered the following  
vulnerability in CyberOffice Shopping Cart v2 under Windows NT.  
  
Severity: high - Database access by default  
  
It is possible with default installations (according to vendor instructions)  
of CyberOffice to gain access to the database which holds information on  
customer orders, details and credit card information. This data is held in  
an unprotected and un-encrypted Microsoft Access Database.  
  
example: http://127.0.0.1/_private/shopping_cart.mdb  
  
By default the _private directory is world readable and accessable by any  
anonymous web users. The vendor does however state in the documentation  
that the /_private/ directory should not be browsable (i.e. if the file  
name is known it can still be downloaded).  
  
II. Delphis Solution  
============================================================================  
  
Vendor Status: Informed (See Section III.)  
  
Currently Delphis recommend the following:  
  
o Within IIS (Internet Information Server) manager set the directory  
permissions to write but NOT read. This will enable users to update the  
database as required by the application but not be able to download it.  
  
-or-  
  
o Migrate from Access to SQL  
  
III. Vendor Comments  
============================================================================  
  
Yes SmartWin is aware of the problem from the begining since the release of  
the program.  
  
It is a shame that FrontPage does not automatically disable /_private from  
browsing. In all of our documents we have stressed this point enough to  
cause the ISP to take action to protect the folder. Because it is the ISP  
who is required to ultimately fix the problem, the installation is powerless  
in that regard.  
  
In addition to the solutions you have given. These are the more common  
actions:  
  
1) Use IIS Managemant Console to disable the Read permission on the folder  
(done by ISP)  
  
2) Use FrontPage Explorer to disable the folder from being browsed (done by  
the Web master)  
  
3) Move the database to /fpdb (the database folder used by newer versions of  
FrontPage).  
  
How to protect databases from being directly downloaded is the problem that  
every ISP faces everyday. SmartWin has given sufficient warning toward this  
issue. It should NOT be classified as CyberShop's problem. We have given  
warning through out the programs to bring users' attention to this potential  
problem to let ISP to fix it (as only the administrator can fix the  
permission).  
  
Thanks for providing your research result to us.  
  
Best Regards,  
  
Yong CHEN  
SmartWin Technology  
  
IV. Disclaimer  
============================================================================  
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR  
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE  
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR  
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE  
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.  
============================================================================  
This e-mail and any files transmitted with it are intended solely for the  
addressee and are confidential. They may also be legally  
privileged.Copyright in them is reserved by Delphis Consulting PLC  
["Delphis"] and they must not be disclosed to, or used by, anyone other than  
the addressee.If you have received this e-mail and any accompanying files in  
error, you may not copy, publish or use them in any way and you should  
delete them from your system and notify us immediately.E-mails are not  
secure. Delphis does not accept responsibility for changes to e-mails that  
occur after they have been sent. Any opinions expressed in this e-mail may  
be personal to the author and may not necessarily reflect the opinions of  
Delphis  
  
`