An unpatched security hole in online storefront software from IBM is
potentially exposing scores of high-profile ecommerce sites to attacks from
outsiders.
The vulnerability in IBM’s Net.Commerce software could enable an attacker to
gain administrative access to an online store. Such ability would allow an
outsider to upload and download files, issue operating system commands, and
extract any information from the site’s database, including customer records
and credit cards.
IBM is currently shipping version 5.1 of the software, which had been
rebranded the WebSphere
Commerce Suite, but hundreds of sites still use older releases.
A quick search by InternetNews.com Wednesday turned up more than a dozen
storefronts that appear vulnerable to an attack publicized Monday
on the Bugtraq security mailing list by a Austrian software security
consultant who uses the nickname “Rudi Carell.”
The vulnerable sites include those operated by a major discount shoe
retailer, a leading computer manufacturer, one of the biggest purveyors of
chainsaws, and two online jewelry stores.
Tim Breuer, a spokesperson for IBM, confirmed Wednesday that a similar
security vulnerability was identified in internal testing by IBM in October
1999 in Net.Commerce version 2 and up to version 3.1. According to Breuer,
the company subsequently released a patch, and recent editions of the
software do not contain the bug.
“We aggressively contacted all of our customers and business partners and
made them aware of this and encouraged them to use the fix. Since it was a
year and a half ago and we haven’t had a single customer come in and say
there was an issue related to it, we’re confident it was addressed at the
time,” said Breuer.
A search of the security advisories at IBM’s site did not turn up any bulletins from the company about
the Net.Commerce issue. Nor could any notice of the patch be found in other
leading archives of security and ecommerce software discussion lists.
According to Carell, the vulnerability lies in the macro functions in the
affected versions of Net.Commerce. These macros are shortcuts designed to
retrieve data from the Net.Commerce database and display it as a formatted
Web page. However, Carell says the macros don’t do proper input validation
and thus enable web surfers to enter random SQL commands into the store’s
database.
“The more input you tolerate, the more dangerous it is passing user input to
program or operating systems functions. And if you miss that, your web-based
software will turn into a nightmare,” said Carell. Using one of the exploits
he posted, InternetNews was able to display administrator account names at
several Net.Commerce sites, although separate attacks to gather the
corresponding passwords and hints were unsuccessful.
Elias Levy, chief technology officer for SecurityFocus.com, says input
filtering errors are common to Web-based applications with database back
ends.
“All you would have to do is figure out the layout of the tables and columns
of the database and craft the correct SQL statement to get that data back,”
said Levy, who noted that the Net.Commerce bug resembles the
widely-publicized RDS vulnerability in Microsoft’s Internet Information Server.
With details of the Net.Commerce vulnerability brought to light, Levy
advises Net.Commerce administrators to review their configurations and
either upgrade or contact IBM for a patch.
