COMMAND

	VP-ASP  shopping  cart  software  path  disclosure  and  insecure   file
	permissions.

SYSTEMS AFFECTED

	Probably all versions

PROBLEM

	alias404@hotmail.com found following:
	

	There are several problems in the  \"vp-asp\"  shopping  cart  software.
	These are a result of default installations.
	

	This may allow:
	 An attacker to locate the database/configuration.

	 An attacker to change the location of the databse/configuration file.

	 An attacker to download the database/configuration file.

	 An attacker to log in as the administrator of the VP-ASP software.

	

	By default the login/passwords are vpasp/vpasp  or  admin/admin  ,  many
	web sites do not have these changes, thus  in  some  places  anyone  can
	login from the [ pretty ] web interface
	

	

	http:// [ host ] / [ vpasp dir ] /shopadmin.asp

	

	

	By default the Microsoft access configuration and storage file is  named
	shopping400.mdb/shopping300.mdb, and is readable from  the  internet,  a
	bad thing  considering  that  it  contains  most,  if  not  all  of  the
	configuration data including person  details  and  credit  card  details
	which are by default, unencripted/protected.
	

	[ It may contain more infomation but I’ve only ever read it with  a  hex
	editor =(   ]
	

	

	Included in VP-ASP is a diagnostic tool [ shopdbtest.asp ], which is  so
	kind as to give anyone who wants it the location to the database file  [
	given as xDatabase in the page ] even if the location has been changed.
	

	NOTE:You do NOT have to be logged  in  as  the  administrator  [  VP-ASP
	admin ] to download the database/config file.
	

	NOTE: The database is an microsoft [ 2000 or 97  ]  access  file  so,  [
	xDatabase + .mdb ] appending a .mdb to the database  location  will  the
	the files location. ie.
	

	 http:// [vp-asp site] / [ vp-asp dir] / [ xDatabase + .mdb ]

	

	

	NOTE:  Thankfully,  not  all   sites   are   vunrible,   many   sensible
	administrators have stored the file outside of the webroot =) [  Followed
	the instructions on the website ], but infomation is still availible  as
	to the locality of the file .
	

	So, in  some  cases  the  database/config  file  is  accessible  via  an
	internet browser
	

	NOTE:“shopdbtest.asp” is not the only  culprit,  “shopa_sessionlist.asp”
	will disclose the same information, but its not as pretty  and  doesn\'t
	keep with the theme of the website .[ Not exactly a  huge  incentive  to
	stay away but ..... ]
	

	There is another reason to love shopdbtest.asp, it  is  able  to  change
	the position of the database file.
	

	You would be able to anyway if the default user/pass  was  still  there;
	remember : \"Using your browser, you will be able to configure over  240
	different features of VP-ASP.\"
	

	Attackers can easily search for sites [ en mass ] running the product  [
	VP-ASP ], just buy using a search engine , like google [ Why  would  you
	use anything else ? ]
	

	e.g..
	

	http://www.google.com/search?q=allinurl%3Ashopdisplaycategories%2Easp

	

	

	NOTE: shopdisplaycategories.asp is a main page for vp-asp,  google  gave
	me 1,0** sites using this software, although it should be expected  some
	are just running the demo and some are sensible.
	

	Just have a look under  \"Advanced  search\"  in  your  favorite  search
	engine and look for shopdisplaycategories.asp ONLY in  the  URL  of  the
	page.
	

	

	http://search.lycos.com/main/adv.asp

	http://www.google.com/advanced_search

	

	

	Another    handy     thing     about     the     website     is     this
	page,http://www.vpasp.com/demos/vpaspsites/sitedisplay.asp,  a  list  of
	happy VP-ASP users.
	

	

	

	Noam Rathaus [http://www.BeyondSecurity.com]also added:
	

	SQL injection is also possible allowing you to enter the  administrative
	page  with  actually  knowing  the  used  administrator   username   and
	password, example:
	

	Username: \'or\'\'=\' ( i.e. enter just: \'or\'\'=\' )
	

	Password: \'or\'\'=\' ( i.e. enter just: \'or\'\'=\' )
	

	

SOLUTION

	Answer from Howard Kadetz (VP-ASP Support):
	

	1. We absolutely recommend that the  database  be  in  a  directory  not
	viewable  from  the  web  to  prevent  hacker  downloads.  VP-ASP  fully
	supports this but using either Windows  indirect  addressing  or  direct
	driver addresses or ODBC connections.
	

	2. We recommend  all  our  diagnostic  tools  be  taken  off  after  the
	production site it set up. Even if the database name  is  known,  if  it
	\"off the web:, we believe disclosing the name  is  of  no  use  to  the
	hacker.
	

	3. We  certainly  recommend  altering  the  administrative  userids  and
	passwords. In addition we support  facilities  where  the  actual  login
	page can be hidden. In that case the hacker could  not  find  the  login
	page if they know the password
	

	We have  to  weigh  ease  of  installation  for  first  time  e-commerce
	customers  and  security  for  production  sites.  We  believe  we  have
	accomplished this but it is obviously up to each site owner to take  our
	recommendations and act on them.
	

	We have created a security supplement that our  customers  can  download
	but hackers cannot unless they are also customers with more  details  on
	certain aspects of security that we do not want to publicly post.
	

	http://www.vpasp.com/sales400/addons400.asp