Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DCShop vulnerability

From: David Choi <dcscripts () yahoo com>
Date: Mon, 18 Jun 2001 20:35:19 -0700 (PDT)
This is not really a vulnerability.  It is more a
server setup problem.

Normally, you should not be able to browse files in
/cgi-bin directory; you should only be able to execute
scripts and display the page resulting from them. 
BUT, we do live in an imperfect world and some server
DO allow viewing of files in /cgi-bin directory and so
IT IS a problem, nonetheless.  To eliminate this
problem, please see

http://www.dcscripts.com/dcforum/dcshop/44.html

Thanks.

David S. Choi
DCScripts.com


--- Peter Helms <peter.helms () ey dk> wrote:

DCShop vulnerability

We have seen several Web shops using your 
DCShop product as E-commerce system, where it is 
possble for unauthorized persons via a Web browser 
to retrieve customer creditcard numbers in
cleartext. 
Athough the developers on their Web site 
recommends not to use the beta product for 
commercial use, we have found sites already using it

commercially.

The issue does not show up on properly configured 
servers, i.e. where the "Everyone"-group has "Full 
Access" to the CGI-BIN or sub-folders, more info 
below.


The requests are made of the following URL:


http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt

This will triger the Web host to send a text file
with all 
recent orders, including the end-users name, 
shipping and billing-address, e-mail address AND 
CREDIT CARD NUMBERS with exp-dates.


It is also in some cases possible to find the 
administrator name and password in another text file

from an URL:
http://theTargetHost/cgi-
bin/DCShop/Auth_data/auth_user_file.txt

We have reported this issue to the developer, 
DCscripts.com, who within hours posted a security 
issue bulletin on their web site to clarify the 
recommendations for their software:
http://www.dcscripts.com/dcforum/dcshop/44.html



Peter Helms
Ernst & Young, Denmark
peter.helms () ey dk



__________________________________________________
Do You Yahoo!?
Spot the hottest trends in music, movies, and more.
http://buzz.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: