Vulnerability

    DCShop

Affected

    DCShop

Description

    Peter Helms found  following.  There  are several Web  shops using
    your DCShop product as E-commerce system, where it is possble  for
    unauthorized  persons  via  a  Web  browser  to  retrieve customer
    creditcard numbers in cleartext.  Athough the developers on  their
    Web site  recommends not  to use  the beta  product for commercial
    use, there are sites already using it commercially.

    The issue does  not show up  on properly configured  servers, i.e.
    where the  "Everyone"-group has  "Full Access"  to the  CGI-BIN or
    sub-folders, more info below.

    The requests are made of the following URL:

        http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt

    This will triger the Web host to send a text file with all  recent
    orders, including the end-users name, shipping and billing-address
    e-mail address AND CREDIT CARD NUMBERS with exp-dates.

    It is also in some  cases possible to find the  administrator name
    and password in another text file from an URL:

        http://theTargetHost/cgi-bin/DCShop/Auth_data/auth_user_file.txt

    This is not  really a vulnerability.   It is more  a server  setup
    problem.   Normally, you  should not  be able  to browse  files in
    /cgi-bin directory;  you should  only be  able to  execute scripts
    and display the page resulting from  them.  BUT, we do live  in an
    imperfect  world  and  some  server  DO  allow viewing of files in
    /cgi-bin directory and so IT IS a problem, nonetheless.

Solution

    This has been reported to the developer, DCscripts.com, who within
    hours  posted  a  security  issue  bulletin  on  their web site to
    clarify the recommendations for their software:

        http://www.dcscripts.com/dcforum/dcshop/44.html