Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: netcomrc.htm

IBM NetCommerce 3 suffers known WebSphere bugs and others (others?)



    IBM NetCommerce 3 (others?)


    Rudi  Carell  found  following.   He  found  a  couple  of serious
    security-holes within  ibm s  so called  "netcommerce" thing which
    seems to be a mixture of websphere,, servlets, jsp s  and

    Besides  well  known  websphere-bugs  (file  thru  disclosure  and
    default-admin  passwords),  the  most  dangerous  bugs result from
    NON-existing  input  validation   within  netcommerc  s

    By  crafting  malformed  http-requests  it  is possible to extract
    "any" netcommerce-database-information.

    Combining   this   method    with   other    default-"netcommerce"
    funcionality (PasswordReset  for example)  it is  possible to take
    hold of so called "store-" or "site-manager"-accounts.

    Once you're  an nc-administrator  you are  allowed to  use all the
    admin-tools.  At this point youre able to up- and download  files,
    issue  op-system-commands  or  do  any  query  with  the very very
    high-privileged DB2INST1 account.

    This can lead to a possible take-over of the whole system.... Many
    "default-macros"  are  vulnerable  to  this  (classic:-)  sort  of

    A few examples:

        1) "HowTo find Administrator Accounts",0+from+shopper+where+shshtyp+%3d+'A';

        2) "Passwords(crypted)",0+from+shopper+where+shlogid+%3d+'ncadmin';

        3) "Password-Reminders",0+from+shopper+where+shlogid+%3d+'ncadmin';

    Of course "orderdspc.d2w" is not the only vulnerable macro .. it's
    just an example.  Casting between different data-types is possible
    (read the db2-man pages).

    Also it should (not proofed) be possible to query other databases.

    This has been confirmed on Net.Commerce 3.1.2.


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH