Title: Shopping Carts exposing CC data Date Issued: April 20, 1999 Last Modified: April 25, 1999 Code: ECOM-990420 Source: Misc Shopping Carts exposing CC data Joe (joe@GONZO.BLARG.NET) Tomorrow ( April 20 1999 ) CNet's news.com should be running a story regarding various commercial and freeware shopping carts that, when installed incorrectly or when installed by amateurs, result in the possible exposure of customer information... and not just a few digits of a credit card number like Yahoo's latest goof - everything is exposed. Name, CC Numbers, home address, phone number, what they ordered, how much they paid etc etc etc. These various shopping carts create world readable files in the web server's document tree which have subsequently been indexed by numerous search engines. (If a cold chill didn't just run down your spine, please, check your pulse) To access this order information you need a search engine and a little knowledge of how these various shopping carts are structured. Since some are freeware and the commercial carts have downloadable demos, this is trivial information to obtain. This email is a heads up to system administrators and hosts. These exposed order files were found by common search engine techniques and I suspect that after this story hits, those files are going to be even more vulnerable than they already are. If your users have 3rd party shopping carts installed on your servers, please run an audit on the files they generate and maintain. Any clear-text order information available to or stored in your web servers document tree should be immediately removed or have their access restricted. This is common sense to most of us here however, like most hosts, we don't always know what security nightmares our users have created for us and for themselves. Here are the six shopping carts that, when installed contrary to their documentation or are improperly maintained can expose order information. All of the exposed information generated by these carts was discovered through a public search engine. Selena Sol's WebStore 1.0 http://www.extropia.com/ Platforms: Win32 / *Nix (Perl5) Executable: web_store.cgi Exposed Directory: Admin_files Exposed Order info: Admin_files/order.log Status: Commercial ($300)/ Demo available. Number of exposed installs found: 100+ PGP Option available?: Yes Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html Platforms: Win32 / *Nix (Perl5) Executable: ? Exposed Directory: Varies, commonly "Orders" "order" "orders" etc.. Exposed Order Info: order_log_v12.dat (also order_log.dat) Status: Shareware ($15/$25 registration fee) Number of exposed installs found: 15+ PGP Option available?: Unknown. Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/ Platforms: Win32 / *Nix (Perl5) Executable: mall2000.cgi Exposed Directory: mall_log_files Exposed Order Info: order.log Status: Commercial ($225.00+ options) Number of exposed installs found: 20+ PGP Option Available?: YES QuikStore http://www.quikstore.com/ Platforms: Win32 / *Nix (Perl5) Executable: quikstore.cgi Exposed Order info: quikstore.cfg* (see note) Status: Commercial ($175.00+ depending on options) Number of exposed installs found: 3 PGP Option Available?: Unknown. NOTE: This is, IMHO, one of the most dangerous of the lot, but thankfully, one of the lowest number of discovered exposures. Although the order information itself is secured behind an htaccess name/pwd pair, the config file is not. The config file is world readable, and contains the CLEAR TEXT of the ADMINS user id and password - rendering the entire shopping cart vulnerable to an intruder. QuikStore's "password protected Online Order Retrieval System" can be wide open to the world. (Armed with the name and pwd, the web visitor IS the administrator of the shopping cart, and can view orders, change settings and order information - the works.) PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/ Platforms: Win32 / *Nix (C/C++(?)) Executable: shopper.cgi Exposed Directory: PDG_Cart/ (may differ between installs) Exposed Order info: PDG_Cart/order.log Exposed Config info: PDG_Cart/shopper.conf (see note) Status: Commercial ($750+ options) Number of exposed installs found: 1+ (They installed it on our server) PGP Option Available?: Unknown. (Couldn't get a yes or no outta them) NOTE: if they renamed the order log, shopper.conf will tell you where it's at and what it was named - worse, shopper.conf exposes the clear text copy of Authnet_Login and Authnet_Password, which gives you full remote administrative access to the cart. shopper.conf, from what I can determine based on the company installed version we have here, is world readable and totally unsecured. And now a drum roll please: Mercantec's SoftCart http://www.mercantec.com/ Platform: Win32 (*Nix?) Executable: SoftCart.exe (version unknown) Exposed Directory: /orders and /pw Exposed Order Info: Files ending in "/orders/*.olf" Exposed Config Info: /pw/storemgr.pw (user ID and encrypted PW for store mgr?) Number of exposed installs: 1 PGP Option Available?: Unknown NOTES: This one has only been found vulnerable on ONE server. (user error?) The encryption scheme on the storemgr.pw password is unrecognized by me but I'm not an encryption guru. Someone's bound to recognize it. Other Submitted Sites: (Bo Elkjaer (boo@DATASHOPPER.DK)) Mountain Network Systems Inc. http://www.mountain-net.com Platform: ? Exposed Directories: /config, /orders (and others. They're all listed in config-file) Exposed Order Info: orders.txt Exposed Config Info: mountain.cfg Number of exposed installs: 18+ at a quick glance. Probably more. PGP Option Available?: Unknown Status: Commercial, ranging from $399 to $4650. Cybercash 2.1.4 - http://www.cybercash.com Platforms: Sparc? Exposed directory: /smps-2.1.4-solaris-sparc/ Exposed orderinfo: Several files, as far as I can see. Many are located in the /db/credit directory. Whats worse: Exposed admin-password and configuration-files: admin.pw and admin.conf. Status: commercial. Perlshop Version? Platforms? Executable file: perlshop.cgi Exposed directory: /store/customers/, /store/temp_customers/ Exposed orderinfo: Several files, eight-digit numbered names. Status: adverware. Only requirement is to display a "powered by perlshop"-logo on page. *shudder* Any and all opinions expressed here are solely those of the author and do not reflect the views, policies, practices or opinions of my employer.