Cgisecurity Quickstore Shopping cart

2000-11-22T00:00:00
ID SECURITYVULNS:DOC:958
Type securityvulns
Reporter Securityvulns
Modified 2000-11-22T00:00:00

Description

Now i already released this on my site but i forgot to post to bugtraq somehow. Vendor was contacted and i waited awhile for a response and got none back. Upgrade to the newest version for a fix.

-zenomorph

(ps. check bugtraq for older holes in the same product)

                    [Cgi Security Advisory #1]
                      admin@cgisecurity.com
                     Quikstore Shopping Cart

Problem first discovered September 2000

Public release October 2000

Script effected: QuikStore Shopping Cart (www.quikstore.com)

Known versions effected: Version: 2.00 Version: 2.09.05 Version: 2.09.10 Possible other versions. Those listed above are confirmed.

Platforms: Unix NT

  1. Past problems

This particular script has had several past security issues. Check bugtraq or www.securityfocus.com for further details.

  1. Problem

In a few versions of QuikStore's Shopping Cart it is posible to read any world readable file on the server. One such example is that someone could easily get your password file if it is unshadowed. Also, it's possible, after the passwords have been cracked, to steal credit card information(Yes it does use pgp but some admins may keep the key on the same system. Yes its very likely it could happen.) ,or client personal information.

The problem lies in QuikStore.cgi itself. The following example (found below) grabs the cgi programs actual source code. You can imagine other ways to exploit this. I decided not to post the actual exploit so I may be able to save a few sites from a few script kiddies (although a 2 year old should be able to figure it out). Another potential problem is that it is posible to read configuration files, and potentially expose paths to sensitive files, or information which you probably do not want people to know about.

http://somesite/cgi-bin/quikstore.cgi?page=../quikstore.cgi%00html&cart_id= (Grabs the cgi's source code)

  1. More problems

A lot of the ways attackers get into your network are through the weakest link in the chain. If a server hosts 1,000 sites, and you are able to get the password file, it is not only possible to endanger your own website, but all other websites located on the same machine as yours. BE CAREFUL WHAT YOU ALLOW FOR SCRIPTS.

  1. Fixes

The vendor has been contacted and will issue a fix soon. NOTE: If you believe you are running a vulnerable version please contact your system administrator or ISP or keep checking the vendor for patches and upgrades.

Published to the Public October 30th 2000 Copyright September 2000 Cgisecurity.com