[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Multiple Vulnerabilities With Cart32 Shopping Cart

Title: Multiple Vulnerabilities With Cart32 Shopping Cart
Released by: Xato
Date: 9th November 2000
Printable version: Click here 
----------------------------------------------------------------------------



                        Xato Network Security, Inc.

                                www.xato.net



                      Security Advisory XATO-112000-01

                              November 9, 2000





           - MULTIPLE VULNERABILITIES WITH CART32 SHOPPING CART -





----------------------------------------------------------------------------



Systems Affected

================

Win32-based servers using Cart32 v3.5 and below.





Overview

========

The Cart32 shopping cart application from McMurtrey/Whitaker & Associates,

Inc. is vulnerable to a number of information leakage and other attacks.

Furthermore, common user misconfigurations and bad password encryption

make the application more vulnerable, possibly allowing a full compromise

of the server's security.





Details

=======

The Cart32 shopping cart application is a Win32 executable that resides

on a web server as cart32.exe and c32web.exe.  There are a number of

parameters that can be passed to these CGI applications that will reveal

server information, namely physical paths to the web root, physical

paths to the Windows directory, and physical paths to the program files

directory.  The following urls demonstrate this problem:



   http://www.example.com/cgi-bin/cart32.exe/error

   http://www.example.com/cgi-bin/c32web.exe/ShowAdminDir

   http://www.example.com/cgi-bin/c32web.exe/CheckError?error=53



Cart32 is also vulnerable to a denial of service attack that will jump

the processor to 100% usage by entering the following url:



   http://www.example.com/cgi-bin/c32web.exe/ShowProgress



Cart32 has issued an updated version 3.5a that addresses most of these

issues and has an updated version available at their web site

(www.cart32.com).



Another problem is that many people often (as set up by their ISP or

web hosting company) put the cart32.ini file in the same directory as

cart32.exe and c32web.exe.  If that file is in that directory and is

readable, then much more information can be revealed about the server,

especially if the Debug section exists in that file.  Cart32.ini contains

a lightly encrypted admin password and server configuration information.

The Debug section can contain plaintext passwords, server environment

variables, and other sensitive information.  The issue of leaving the

cart32.ini file has been publicly discussed in the past and Cart32 does

have a KB article about this issue but it is still a very common problem

as any search engine will reveal.  This issue does need to be readdressed,

especially considering the weakness of their encryption.



On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID

195) addressing the issue of the weak encryption.  They also stated

that they will not be releasing the actual algorithm.  Because we do

not agree with the concept of security through obscurity, we have put

together this snippet of VBScript code to demonstrate how a password

can be unencrypted:



Cart32Decode = Chr(Asc(Mid(sPass, 8)) - 12) & _

       Chr(Asc(Mid(sPass, 5)) - 8) & _

       Chr(Asc(Mid(sPass, 3)) - 16) & _

       Chr(Asc(Mid(sPass, 15)) - 15) & _

       Chr(Asc(Mid(sPass, 9)) - 9) & _

       Chr(Asc(Mid(sPass, 1)) - 12) & _

       Chr(Asc(Mid(sPass, 4)) - 3) & _

       Chr(Asc(Mid(sPass, 11)) - 5) & _

       Chr(Asc(Mid(sPass, 13)) - 11) & _

       Chr(Asc(Mid(sPass, 6)) - 5) & _

       Chr(Asc(Mid(sPass, 2)) - 1) & _

       Chr(Asc(Mid(sPass, 2)) - 1) & _

       Chr(Asc(Mid(sPass, 14)) - 13) & _

       Chr(Asc(Mid(sPass, 12)) - 10) & _

       Chr(Asc(Mid(sPass, 10)) - 6) & _

       Chr(Asc(Mid(sPass, 7)) - 8)



As mentioned in Colin Hart's advisory, version 3.5a will fix this

problem.





Solution

========

Cart32 was first notified of these problems on August 28, 2000.  Cart32

has issued a version 3.5a release that addresses some of these issues

but not all of them.  If using Cart32 you should carefully read the

knowledge base articles available on their web site. 





Commentary

==========

The real problem here isn't  that Cart32 has security problems, it is

that programmers often are the weakest link in a network's security.

Programmers want to open up doors, making it easier to use and debug

their applications.  Without proper security policy and training, you

get problems like those addressed above as well as other problems that

Cart32 has had in the past including hard-coded backdoor passwords.  If

a software developer does not value security, they will not take the

time to protect their users.  Another issue here is the encryption

algorithm being used.  The algorithm is based on obscurity not security

and the algorithm is known to the developers of Cart32.  That means

that any employee there would be able to unencrypt any admin password

they had access to.  I would prefer a more standard encryption that

could not be unencrypted by anyone, including employees of Cart32.

Unfortunately, any security expert could take any one of the thousands

of shopping cart applications available and find numerous holes.  Many

times these same applications are used by some very large companies.

To make things worse, ISP's and web hosting companies are engaging in

poor security practices and recommending those same practices to their

customers. Until software developers take more steps to implement better

security practices, this problem will continue to grow.





Acknowledgements

================

Author: sozni (sozni@xato.net)

Thanks to: Royce, tgooat, xentury, D. Staheli, A. Shumway, M. Burnett



This document is located at:

http: //www.xato.net /reference /xato-112000-01.htm   

http: //www.xato.net /reference /xato-112000-01.txt





Xato Network Security, Inc. is a Windows security consulting company

that specializes in securing Windows NT4 and Windows 2000 web servers.

We also provide code auditing services because secure web applications

are as important as all other aspects of network security.  Our programmers

are well trained in security practices as well as development methodologies

and can participate through all stages of the development process.  For

more information on our services please visit www.xato.net.



-----------------------------------------------------------------------



THE INFORMATION PROVIDED IN THIS ADVISORY IS PROVIDED "AS IS"

WITHOUT WARRANTY OF ANY KIND. XATO NETWORK SECURITY, INC. DISCLAIMS ALL

WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF

MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE.



COPYRIGHT (c) 2000 XATO NETWORK SECURITY, INC. ALL RIGHTS RESERVED.

-----------------------------------------------------------------------



Keywords: 

Xato, Cart32, IIS, CGI, shopping cart, encryption, secure programming,

physical path, server information






(C) 1999-2000 All rights reserved.