Small Sites Warned of Insecure Carts - Page 2

may have known about the security vulnerability in his cart long before the recent advisory was posted on the Bugtraq security mailing list. Last August, Dansie.net was defaced by a group that calls itself Hackers in Paradise. A HiP member who uses the handle "Freejack" replaced the Dansie site's homepage with one that read, "To The Admin: Your Scripts Are Ridiculously Insecure. People Are Relying On Your Scripts Security To Protect Their Credit Card Info, Yet Your Own Scripts Can Be Easily Manipulated To Cruise Your Whole Server Hard Drive."

CART32 also has a checkered past for security. The program was among a group of eleven shopping carts that allowed an attacker to tamper with input forms and order items at reduced prices. According to Internet Security Systems Inc., which identified the vulnerability last February, version 2.6 of CART32 was modified by the developers to provide a higher level of security.

And in April of last year, it was discovered that more than 100 online stores had misconfigured their shopping carts which allowed the software to log order information, including credit card numbers, in a world-readable file accessible by anyone with a Web browser.

Cerberus' Litchfield said the rash of security holes in ecommerce packages behooves small sites to be vigilant.

"Small sites in particular can't afford to be hacked. They should do some due diligence and make sure there's nothing wrong with these things. It's not difficult to do."