Examples of
Poorly Implemented Shopping Carts
We illustrate briefly what can go wrong if
shopping carts are poorly implemented by presenting some examples in this
section. More complete coverage of the vulnerabilities illustrated here are
presented in later chapters and in lang=EN-GB style='color:#003399'>Chapter 10, in
particular.
Carello Shopping Cart
The Carello shopping cart (style='color:#003399'>http://www.carelloweb.com)
running on Windows NT has a flaw that allows remote command execution over
HTTP. This shopping cart has a component called Carello.dll that interacts with
the client. An attacker can inject commands by using malformed URLs that lead
to remote command execution on the Web server.
For example, the following URL can execute
the dir command on the server:
http://target/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20dir
A full description is available at lang=EN-GB style='color:#003399'>http://securitytracker.com/alerts/2001/May/1001526.htmllang=EN-GB>.
DCShop Shopping Cart
The DCShop shopping cart (lang=EN-GB style='color:#003399'>http://www.dcscripts.com/dcforum/dcshop/44.htmllang=EN-GB>) stores temporary order information in clear text in a temporary
file called orders.txt. This file is in DCShop's Order subdirectory and can be
retrieved directly via HTTP by any user. The orders.txt file contains all the
data related to customers' recent orders, including names, shipping addresses,
billing addresses, e-mail addresses, and credit card data. The attack can be
performed simply by issuing the following URL:
http://target/cgi-bin/DCShop/Orders/orders.txt
A full description is available at lang=EN-GB style='color:#003399'>http://securitytracker.com/alerts/2001/Jun/1001777.htmllang=EN-GB>.
Hassan Consulting's Shopping Cart
Hassan Consulting's shopping cart (style='color:#003399'>http://www.irata.com/products.htmllang=EN-GB>) allows arbitrary command execution on the server. The shopping
cart runs on Unix and is written in Perl. The script, shop.pl, doesn't filter
out characters such as ";" and "|," which allow remote
users to inject commands on the server via the URL. URL exploitation occurs as
follows:
http://target/cgi-local/shop.pl/SID=947626980.19094/page=;ls|
A full description is available at lang=EN-GB style='color:#003399'>http://securitytracker.com/alerts/2001/Sep/1002379.htmllang=EN-GB>.
Cart32 and Several Other Shopping Carts
Some shopping carts have hidden form fields
within the html source code that contain product information such as price,
weight, quantity, and identification. An attacker can save the Web page of a
particular item to his computer and edit the html source, allowing him to alter
the parameters of the product, including the price of the product.
A full description is available at lang=EN-GB style='color:#003399'>http://online.securityfocus.com/bid/1237lang=EN-GB>.
No comments:
Post a Comment