Small Sites Warned of Insecure Carts
Page 1 of 2
The discovery of a backdoor in another popular shopping cart program raises new questions about the overall security of the e-commerce software relied upon by small businesses.
According to an advisory Thursday from Cerberus Internet Security in London, the main program file for CART32, a CGI program for 32-bit Windows systems in use by more than 1,000 small online stores, contains an undocumented password. When used properly, the password enables a third party to run arbitrary commands on the Web server and potentially to access credit card numbers, shipping addresses and other sensitive information.
David Litchfield, director of security for Cerberus, said he and his brother Mark discovered the hidden password by opening the CART32 executable with a text editor. Armed with the password, the Litchfields were able to cause CART32 to divulge another set of passwords for accessing the cart's various data files.
Cerberus also found a second vulnerability in CART32, which enables someone to change the cart's administrative password.
Lauren Willard, a technical support rep for CART32, said the company used the backdoor for technical support tasks such as assisting customers who had lost their passwords.
"We never used it except to help them out with their Web site or for the administration of their cart," said Willard.
McMurtrey/Whitaker expects to release a patch for the program early next week. In the meantime, as a workaround, CART32 users can manually edit the program file to change to secret password. L0pht Heavy Industries, a white-hat hacking group, has also released a tool that searches for the backdoor password in the CART32 program and replaces it with a random backdoor password. The tool also changes the permissions on the shopping cart's administration program so that unauthorized users cannot change the administrator password.
Litchfield of Cerberus defended his company's decision to publicize the backdoor before the patch was available.
"It's a blatant security hole, and for all we know there could be hackers out there who've known about it for months and are exploiting it," said Litchfield.
One of CART32's marquee customers, the online store at the official site of the Detroit Redwings hockey team, has apparently stopped using the shopping cart. The site was offline Thursday, and when it reappeared Friday, the store section was replaced with an input screen for requesting a paper catalog. Site representatives did not respond to requests for information.
The backdoor in CART32 is just the latest in a string of security vulnerabilities in software used by small online businesses. Earlier this month, a similar backdoor was discovered in the popular Dansie Shopping Cart. In that case, the program's author, Craig Dansie, coded the backdoor into the program to enable him to delete the script from any server that was violating his copyright.
After initially denying that the technique posed a security risk, Dansie eventually issued a security patch which, according to a message at the site, "removes all known security problems." Dansie, however, has not provided a copy of the patched software for testing to the system administrator who originally found the backdoor. Nor has he responded to testing requests from the authors of Nessus, a remote security scanning tool that now includes the Dansie cart among its list of high-risk vulnerabilities.