OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Helms (peter.helmsey.dk)
Date: Mon Jun 18 2001 - 07:08:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    DCShop vulnerability

    We have seen several Web shops using your
    DCShop product as E-commerce system, where it is
    possble for unauthorized persons via a Web browser
    to retrieve customer creditcard numbers in cleartext.
    Athough the developers on their Web site
    recommends not to use the beta product for
    commercial use, we have found sites already using it
    commercially.

    The issue does not show up on properly configured
    servers, i.e. where the "Everyone"-group has "Full
    Access" to the CGI-BIN or sub-folders, more info
    below.


    The requests are made of the following URL:
    http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt
    This will triger the Web host to send a text file with all
    recent orders, including the end-users name,
    shipping and billing-address, e-mail address AND
    CREDIT CARD NUMBERS with exp-dates.


    It is also in some cases possible to find the
    administrator name and password in another text file
    from an URL:
    http://theTargetHost/cgi-
    bin/DCShop/Auth_data/auth_user_file.txt

    We have reported this issue to the developer,
    DCscripts.com, who within hours posted a security
    issue bulletin on their web site to clarify the
    recommendations for their software:
    http://www.dcscripts.com/dcforum/dcshop/44.html



    Peter Helms
    Ernst & Young, Denmark
    peter.helmsey.dk