Sites Still Vulnerable to Bug in IBM software
Page 1 of 1
An unpatched security hole in online storefront software from IBM is potentially exposing scores of high-profile ecommerce sites to attacks from outsiders.
The vulnerability in IBM's Net.Commerce software could enable an attacker to gain administrative access to an online store. Such ability would allow an outsider to upload and download files, issue operating system commands, and extract any information from the site's database, including customer records and credit cards.
IBM is currently shipping version 5.1 of the software, which had been rebranded the WebSphere Commerce Suite, but hundreds of sites still use older releases.
A quick search by InternetNews.com Wednesday turned up more than a dozen storefronts that appear vulnerable to an attack publicized Monday on the Bugtraq security mailing list by a Austrian software security consultant who uses the nickname "Rudi Carell."
Tim Breuer, a spokesperson for IBM, confirmed Wednesday that a similar security vulnerability was identified in internal testing by IBM in October 1999 in Net.Commerce version 2 and up to version 3.1. According to Breuer, the company subsequently released a patch, and recent editions of the software do not contain the bug.
"We aggressively contacted all of our customers and business partners and made them aware of this and encouraged them to use the fix. Since it was a year and a half ago and we haven't had a single customer come in and say there was an issue related to it, we're confident it was addressed at the time," said Breuer.
A search of the security advisories at IBM's site did not turn up any bulletins from the company about the Net.Commerce issue. Nor could any notice of the patch be found in other leading archives of security and ecommerce software discussion lists.
According to Carell, the vulnerability lies in the macro functions in the affected versions of Net.Commerce. These macros are shortcuts designed to retrieve data from the Net.Commerce database and display it as a formatted Web page. However, Carell says the macros don't do proper input validation and thus enable web surfers to enter random SQL commands into the store's database.
"The more input you tolerate, the more dangerous it is passing user input to program or operating systems functions. And if you miss that, your web-based software will turn into a nightmare," said Carell. Using one of the exploits he posted, InternetNews was able to display administrator account names at several Net.Commerce sites, although separate attacks to gather the corresponding passwords and hints were unsuccessful.
Elias Levy, chief technology officer for SecurityFocus.com, says input filtering errors are common to Web-based applications with database back ends.
"All you would have to do is figure out the layout of the tables and columns of the database and craft the correct SQL statement to get that data back," said Levy, who noted that the Net.Commerce bug resembles the widely-publicized RDS vulnerability in Microsoft's Internet Information Server.
With details of the Net.Commerce vulnerability brought to light, Levy advises Net.Commerce administrators to review their configurations and either upgrade or contact IBM for a patch.