Vulnerability Development: VP-ASP shopping cart software.
NOTE: Please Just ignore the tags, there just notes ect. to make a .txt
document a little more readable, or not.
<short>
Several security issues in the VP-ASP shopping cart software
<dot>Path Information Disclosure Vulnerability.
<dot>Insecure perrmissions on configuration file.
</short>
<synopsis>
-Default passwords that allow ‘admin’ access in the VP-ASP script
- A remote vulnerability in VP-ASP shopping cart software that can disclose
the location of the database/configuration data to an unprivilaged user, and
will allow a user to change the location of the database.
-Allow by defult, accessibilty of the database/configuration file to any
user remotly.
</synopsis>
-- Multiple Vulnerabilities in VP-ASP software --
()()()()()()()()()()()()()()()()()()()()()()()()()()()()
VP-ASP
()()()()()()()()()()()()()()()()()()()()()()()()()()()()
[ Kowchews security advisory]
<MD5>A71EB48778DD7953256EAAF8F02F0AD1</MD5>
Description:
( http://www.vpasp.com )
There are several problems in the "vp-asp" shopping cart software. These are
a result of default installations.
This may allow:
An attacker to locate the database/configuration.
An attacker to change the location of the databse/configuration file.
An attacker to download the database/configuration file.
An attacker to log in as the administrator of the VP-ASP software.
Introduction:
( according to the VP-ASP website )
----------------------------------
Installation - VP-ASP installs in minutes and never modifies your computer
in any way.
Customization - Using your browser, you will be able to configure over 240
different features of VP-ASP. For quick shops, simply configure four items
such as your e-mail details via the browser, add your products via the
browser and your shop is up and running. Full online help is available.
----------------------
VP-ASP
can run on:
Windows 95/98/ME there is Personal Web Server.
Windows NT/2000/XP Professional there is IIS.
Windows XP Home. Sorry but Microsoft left you out.
and, VP-ASP Unix version will run under Chili!Soft ASP
(www.chillisoft.com).
--------------------
Details:
Vunerable: Probably all versions to date which have not been hardened after
being installed.
<dot> By default the login/passwords are vpasp/vpasp or admin/admin , many
web sites do not have these changes, thus in some places anyone can login
from the [ pretty ] web interface
http:/ / [ host ] / [ vpasp dir ] /shopadmin.asp
<dot> By default the Microsoft access configuration and storage file is
named shopping400.mdb/shopping300.mdb, and is readable from the internet, a
bad thing considering that it contains most, if not all of the configuration
data including person details and credit card details which are by default,
unencripted/protected.
[ It may contain more infomation but I’ve only ever read it with a hex
editor =( ]
<dot>Included in VP-ASP is a diagnostic tool [ shopdbtest.asp ], which is so
kind as to give anyone who wants it the location to the database file [
given as xDatabase in the page ] even if the location has been changed.
NOTE:You do NOT have to be logged in as the administrator [ VP-ASP admin ]
to download the database/config file.
NOTE: The database is an microsoft [ 2000 or 97 ] access file so, [
xDatabase + .mdb ] appending a .mdb to the database location will the the
files location.
ie. http:// [vp-asp site] / [ vp-asp dir] / [ xDatabase + .mdb ]
NOTE: Thankfully, not all sites are vunrible, many sensible administrators
have stored the file outside of the webroot =) [ Followed the instructions
on the website ], but infomation is still availible as to the locality of
the file .
So, in some cases the database/config file is accessible via an internet
browser
NOTE:“shopdbtest.asp” is not the only culprit, “shopa_sessionlist.asp” will
disclose the same information, but its not as pretty and doesn't keep with
the theme of the website .[ Not exactly a huge incentive to stay away but
..... ]
There is another reason to love shopdbtest.asp, it is able to change the
position of the database file.
You would be able to anyway if the default user/pass was still there;
remember :
"Using your browser, you will be able to configure over 240 different
features of VP-ASP."
Attackers can easily search for sites [ en mass ] running the product [
VP-ASP ], just buy using a search engine , like google
[ Why would you use anything else ? ]
e.g.. http://www.google.com/search?q=allinurl%3Ashopdisplaycategories%2Easp
NOTE: shopdisplaycategories.asp is a main page for vp-asp, google gave me
1,0** sites using this software, although it should be expected some are
just running the demo and some are sensible.
Just have a look under "Advanced search" in your favorite search engine and
look for shopdisplaycategories.asp ONLY in the URL of the page.
http://search.lycos.com/main/adv.asp
http://www.google.com/advanced_search
Another handy thing about the website is this
page,http://www.vpasp.com/demos/vpaspsites/sitedisplay.asp, a list of happy
VP-ASP users.
Fix / workaround:
I sent and email and the nice people at VP-ASP sent one back =)
<reply from support_at_vpasp.com>
I am unsure who you are but we are well aware of all the issues raised in
this note.
Our Developer's guide and Installation guide and our faq on our web site go
through all these issues and more
1. We absolutely recommend that the database be in a directory not viewable
from the web to prevent hacker downloads. VP-ASP fully supports this but
using either Windows indirect addressing or direct driver addresses or ODBC
connections.
2. We recommend all our diagnostic tools be taken off after the production
site it set up. Even if the database name is known, if it "off the web:, we
believe disclosing the name is of no use to the hacker.
3. We certainly recommend altering the administrative userids and passwords.
In addition we support facilities where the actual login page can be hidden.
In that case the hacker could not find the login page if they know the
password
We have to weigh ease of installation for first time e-commerce customers
and security for production sites. We believe we have accomplished this but
it is obviously up to each site owner to take our recommendations and act on
them.
Howard Kadetz
VP-ASP Support
</reply from support_at_vpasp.com>
The page seems to cover all of this, but still, many people are not cautious
enough, I would like to thank the developer for his speedy responce. It
looks like very sound reasonable and quality infomation to harden your
VP-ASP software, but .....
I would like to make the point that after all he/she has said the VP-ASP
website's online test [ http://www.vpasp.com/demo400/ ] is running the
shopdbtest.asp
[ http://www.vpasp.com/demo400/shopdbtest.asp] ,
when I put in a new database file
.xDatabase from .\..\test --> test and pressed the "test database" button.
You'll never guess what happened !
<quote>
Database Read Database cannot be read Verify that the database is at the
physical location in the open message Microsoft Message
Open Messages
Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
Database Write Database cannot be written Verify that the database is in a
folder that has both read and write access Microsoft Message
Open Messages
Could not find file 'D:\webs\ausiphotos.com\www\data.mdb'.
Database Permissions Database Permissions are not correct Read the FAQ on
our web site regarding permission for the anonymous user IUSR
</quote>
Maybe someone should read the security FAQ->
www.vpasp.com/virtprog/info/faq_security.htm ?
Remeber connections may need passwords, which may well be specified in the
shopdbtest.asp file.
It might not hurt to give a list of files to be removed.
<id>Kowchew.</id>
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
|