The discovery of a backdoor in another popular shopping cart program raises new questions about the overall security of the e-commerce
software relied upon by small businesses.
According to an advisory
Thursday from Cerberus Internet Security in London, the main program file
for CART32, a CGI program for 32-bit
Windows systems in use by more than 1,000 small online stores, contains an
undocumented password. When used properly, the password enables a third
party to run arbitrary commands on the Web server and potentially to access
credit card numbers, shipping addresses and other sensitive information.
David Litchfield, director of security for Cerberus, said he and his brother
Mark discovered the hidden password by opening the CART32 executable with a
text editor. Armed with the password, the Litchfields were able to cause
CART32 to divulge another set of passwords for accessing the cart’s various
data files.
Cerberus also found a second vulnerability in CART32, which enables someone
to change the cart’s administrative password.
The developers of CART32, McMurtrey/Whitaker
& Assoc. of Springfield, Mo., confirmed the existence of the
backdoor Friday.
Lauren Willard, a technical support rep for CART32, said
the company used the backdoor for technical support tasks such as assisting
customers who had lost their passwords.
“We never used it except to help them out with their Web site or for the
administration of their cart,” said Willard.
McMurtrey/Whitaker expects to release a patch for the program early next
week. In the meantime, as a workaround, CART32 users can manually edit the
program file to change to secret password. L0pht Heavy Industries, a white-hat hacking
group, has also released a tool that searches for the backdoor password in
the CART32 program and replaces it with a random backdoor password. The tool
also changes the permissions on the shopping cart’s administration program
so that unauthorized users cannot change the administrator password.
Litchfield of Cerberus defended his company’s decision to publicize the
backdoor before the patch was available.
“It’s a blatant security hole, and for all we know there could be hackers
out there who’ve known about it for months and are exploiting it,” said
Litchfield.
One of CART32’s marquee customers, the online
store at the official site of the Detroit Redwings hockey team, has
apparently stopped using the shopping cart. The site was offline Thursday,
and when it reappeared Friday, the store section was replaced with an input
screen for requesting a paper catalog. Site representatives did not respond
to requests for information.
The backdoor in CART32 is just the latest in a string of security
vulnerabilities in software used by small online businesses. Earlier this
month, a similar backdoor was discovered in the popular Dansie Shopping Cart. In that case, the
program’s author, Craig Dansie, coded the backdoor into the program to
enable him to delete the script from any server that was violating his
copyright.
After initially denying that the technique posed a security risk, Dansie
eventually issued a security patch which, according to a message at the
site, “removes all known security problems.” Dansie, however, has not
provided a copy of the patched software for testing to the system
administrator who originally found the backdoor. Nor has he responded to
testing requests from the authors of Nessus, a remote security scanning tool
that now includes the Dansie cart among its list of high-risk vulnerabilities.
Dansie
may have known about the security vulnerability in his cart long
before the recent advisory was posted on the Bugtraq
security mailing list. Last August, Dansie.net was
defaced by a group that calls itself Hackers in Paradise. A HiP member
who uses the handle “Freejack” replaced the Dansie site’s homepage with one
that read, “To The Admin: Your Scripts Are Ridiculously Insecure. People Are
Relying On Your Scripts Security To Protect Their Credit Card Info, Yet Your
Own Scripts Can Be Easily Manipulated To Cruise Your Whole Server Hard
Drive.”
CART32 also has a checkered past for security. The program was among a group
of eleven shopping carts that allowed an attacker to tamper with input forms
and order items at reduced prices. According to Internet Security Systems Inc., which identified the
vulnerability last February, version 2.6 of CART32 was modified by the
developers to provide a higher level of security.
And in April of last year, it was discovered that more than 100 online stores had misconfigured their shopping carts which allowed the software to log order information, including credit card
numbers, in a world-readable file accessible by anyone with a Web browser.
Cerberus’ Litchfield said the rash of security holes in ecommerce packages
behooves small sites to be vigilant.
“Small sites in particular can’t afford to be hacked. They should do some
due diligence and make sure there’s nothing wrong with these things. It’s
not difficult to do.”