DST2K0035: Credit card (customer) details exposed within CyberOff ice Shopping Cart v2

2000-10-06T00:00:00
ID SECURITYVULNS:DOC:752
Type securityvulns
Reporter Securityvulns
Modified 2000-10-06T00:00:00

Description

All,

We have not released this for the past week at the vendors request. This was to enable them to notify all registered users about this vulnerability and to provide a work around.

We have taken the unusual step of including the vendors response to our original advisory release in full. This was due to the fact that vendor did not indicate to us that there was going to be a fix but rather is was down to the user (or their ISP) to secure the installation.

Rgds

Ollie

Ollie Whitehouse Security Team Leader tel: +44 (0)20 79160200

============================================================================ Delphis Consulting Plc ============================================================================

                       Security Team Advisories
                           [22/09/2000]

                        securityteam@delphisplc.com
              [http://www.delphisplc.com/thinking/whitepapers/]

============================================================================ Adv : DST2K0035 Title : Credit card (customer) details exposed within CyberOffice Shopping Cart v2 Author : DCIST (securityteam@delphisplc.com) O/S : Microsoft Windows NT 4 Server (SP5) Product : CyberOffice Shopping Cart v2 Date : 22/09/2000

I. Description

II. Delphis Solution

III. Vendor Comments

IV. Disclaimer

============================================================================

I. Description

Vendor URL: http://www.smartwin.com.au/smartwin.htm

Delphis Consulting Internet Security Team (DCIST) discovered the following vulnerability in CyberOffice Shopping Cart v2 under Windows NT.

Severity: high - Database access by default

It is possible with default installations (according to vendor instructions) of CyberOffice to gain access to the database which holds information on customer orders, details and credit card information. This data is held in an unprotected and un-encrypted Microsoft Access Database.

example: http://127.0.0.1/_private/shopping_cart.mdb

By default the _private directory is world readable and accessable by any anonymous web users. The vendor does however state in the documentation that the /_private/ directory should not be browsable (i.e. if the file name is known it can still be downloaded).

II. Delphis Solution

Vendor Status: Informed (See Section III.)

Currently Delphis recommend the following:

o Within IIS (Internet Information Server) manager set the directory permissions to write but NOT read. This will enable users to update the database as required by the application but not be able to download it.

-or-

o Migrate from Access to SQL

III. Vendor Comments

Yes SmartWin is aware of the problem from the begining since the release of the program.

It is a shame that FrontPage does not automatically disable /_private from browsing. In all of our documents we have stressed this point enough to cause the ISP to take action to protect the folder. Because it is the ISP who is required to ultimately fix the problem, the installation is powerless in that regard.

In addition to the solutions you have given. These are the more common actions:

1) Use IIS Managemant Console to disable the Read permission on the folder (done by ISP)

2) Use FrontPage Explorer to disable the folder from being browsed (done by the Web master)

3) Move the database to /fpdb (the database folder used by newer versions of FrontPage).

How to protect databases from being directly downloaded is the problem that every ISP faces everyday. SmartWin has given sufficient warning toward this issue. It should NOT be classified as CyberShop's problem. We have given warning through out the programs to bring users' attention to this potential problem to let ISP to fix it (as only the administrator can fix the permission).

Thanks for providing your research result to us.

Best Regards,

Yong CHEN SmartWin Technology

IV. Disclaimer

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ============================================================================ This e-mail and any files transmitted with it are intended solely for the addressee and are confidential. They may also be legally privileged.Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and they must not be disclosed to, or used by, anyone other than the addressee.If you have received this e-mail and any accompanying files in error, you may not copy, publish or use them in any way and you should delete them from your system and notify us immediately.E-mails are not secure. Delphis does not accept responsibility for changes to e-mails that occur after they have been sent. Any opinions expressed in this e-mail may be personal to the author and may not necessarily reflect the opinions of Delphis