[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Credit card (customer) details exposed within CyberOffice

Title: Credit card (customer) details exposed within CyberOffice
Released by: Delphis Consulting Plc
Date: 22nd September 2000
Printable version: Click here 
============================================================================

    Delphis Consulting Plc

============================================================================



   Security Team Advisories

       [22/09/2000]



    securityteam@delphisplc.com

  [http://www.delphisplc.com/thinking/whitepapers/]



============================================================================

Adv     :       DST2K0035

Title   :       Credit card (customer) details exposed within CyberOffice

                Shopping Cart v2

Author  :       DCIST (securityteam@delphisplc.com)

O/S     :       Microsoft Windows NT 4 Server (SP5)

Product :       CyberOffice Shopping Cart v2

Date    :       22/09/2000



I.    Description



II.   Delphis Solution



III.  Vendor Comments



IV.  Disclaimer





============================================================================



I. Description

============================================================================



Vendor URL: http://www.smartwin.com.au/smartwin.htm



Delphis Consulting Internet Security Team (DCIST) discovered the following

vulnerability in CyberOffice Shopping Cart v2 under Windows NT.



Severity: high - Database access by default



It is possible with default installations (according to vendor instructions)

of CyberOffice to gain access to the database which holds information on

customer orders, details and credit card information. This data is held in

an unprotected and un-encrypted Microsoft Access Database.



example: http://127.0.0.1/_private/shopping_cart.mdb



By default the _private directory is world readable and accessable by any

anonymous web users. The vendor does however state in the documentation

that the /_private/ directory should not be browsable (i.e. if the file

name is known it can still be downloaded).



II. Delphis Solution

============================================================================



Vendor Status: Informed (See Section III.)



Currently Delphis recommend the following:



 o Within IIS (Internet Information Server) manager set the directory

   permissions to write but NOT read. This will enable users to update the

   database as required by the application but not be able to download it.



-or-



 o Migrate from Access to SQL



III. Vendor Comments

============================================================================



Yes SmartWin is aware of the problem from the begining since the release of

the program.



It is a shame that FrontPage does not automatically disable /_private from

browsing. In all of our documents we have stressed this point enough to

cause the ISP to take action to protect the folder. Because it is the ISP

who is required to ultimately fix the problem, the installation is powerless

in that regard.



In addition to the solutions you have given. These are the more common

actions:



1) Use IIS Managemant Console to disable the Read permission on the folder

(done by ISP)



2) Use FrontPage Explorer to disable the folder from being browsed (done by

the Web master)



3) Move the database to /fpdb (the database folder used by newer versions of

FrontPage).



How to protect databases from being directly downloaded is the problem that

every ISP  faces everyday. SmartWin has given sufficient warning toward this

issue. It should NOT be classified as CyberShop's problem. We have given

warning through out the programs to bring users' attention to this potential

problem to let ISP to fix it (as only the administrator can fix the

permission).



Thanks for providing your research result to us.



Best Regards,



Yong CHEN

SmartWin Technology



IV. Disclaimer

============================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT

THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR

IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE

PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR

CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE

PLACED ON, THIS INFORMATION FOR ANY PURPOSE.

============================================================================






(C) 1999-2000 All rights reserved.