Vulnerability

    Cart32

Affected

    Cart32 v3.5 and below

Description

    Following is  based on  a Xato  Security Advisory  XATO-112000-01.
    The  Cart32  shopping  cart  application from McMurtrey/Whitaker &
    Associates, Inc. is vulnerable to a number of information  leakage
    and  other  attacks.   Furthermore,  common user misconfigurations
    and bad password encryption make the application more  vulnerable,
    possibly allowing a full compromise of the server's security.

    The Cart32 shopping  cart application is  a Win32 executable  that
    resides on a web server  as cart32.exe and c32web.exe.   There are
    a  number  of  parameters  that   can  be  passed  to  these   CGI
    applications that will reveal server information, namely  physical
    paths to the  web root, physical  paths to the  Windows directory,
    and physical paths to the program files directory.  The  following
    urls demonstrate this problem:

        http://www.example.com/cgi-bin/cart32.exe/error
        http://www.example.com/cgi-bin/c32web.exe/ShowAdminDir
        http://www.example.com/cgi-bin/c32web.exe/CheckError?error=53

    Cart32 is also vulnerable to a denial of service attack that  will
    jump the processor to 100% usage by entering the following url:

        http://www.example.com/cgi-bin/c32web.exe/ShowProgress

    Another problem is that many people often (as set up by their  ISP
    or  web  hosting  company)  put  the  cart32.ini  file in the same
    directory as cart32.exe and c32web.exe.   If that file is in  that
    directory  and  is  readable,  then  much  more information can be
    revealed about the server, especially if the Debug section  exists
    in  that  file.   Cart32.ini  contains  a  lightly encrypted admin
    password and server configuration information.  The Debug  section
    can  contain  plaintext  passwords,  server environment variables,
    and  other  sensitive  information.   The  issue  of  leaving  the
    cart32.ini file has been publicly discussed in the past and Cart32
    does have a  KB article about  this issue but  it is still  a very
    common problem as any search engine will reveal.  This issue  does
    need to  be readdressed,  especially considering  the weakness  of
    their encryption.

    On November 6, 2000 Colin Hart and Cart32 issued a joint  advisory
    (BID 195) addressing the issue of the weak encryption.  They  also
    stated that they will not be releasing the actual algorithm.   For
    more info see:

        http://oliver.efri.hr/~crv/security/bugs/Others/cart2.html

    Because Xato does not agree  with the concept of security  through
    obscurity, they have  put together this  snippet of VBScript  code
    to demonstrate how a password can be unencrypted:

        Cart32Decode = Chr(Asc(Mid(sPass, 8)) - 12) & _
	               Chr(Asc(Mid(sPass, 5)) - 8) & _
	               Chr(Asc(Mid(sPass, 3)) - 16) & _
	               Chr(Asc(Mid(sPass, 15)) - 15) & _
	               Chr(Asc(Mid(sPass, 9)) - 9) & _
	               Chr(Asc(Mid(sPass, 1)) - 12) & _
	               Chr(Asc(Mid(sPass, 4)) - 3) & _
	               Chr(Asc(Mid(sPass, 11)) - 5) & _
	               Chr(Asc(Mid(sPass, 13)) - 11) & _
	               Chr(Asc(Mid(sPass, 6)) - 5) & _
	               Chr(Asc(Mid(sPass, 2)) - 1) & _
	               Chr(Asc(Mid(sPass, 2)) - 1) & _
	               Chr(Asc(Mid(sPass, 14)) - 13) & _
	               Chr(Asc(Mid(sPass, 12)) - 10) & _
	               Chr(Asc(Mid(sPass, 10)) - 6) & _
	               Chr(Asc(Mid(sPass, 7)) - 8)

    As mentioned in Colin Hart's advisory, version 3.5a will fix  this
    problem.

Solution

    Cart32 has issued an updated  version 3.5a that addresses most  of
    these issues  and has  an updated  version available  at their web
    site (www.cart32.com).