SAN FRANCISCO (05/02/2000) - Two security holes in Cart32, shopping-cart software for smaller e-commerce sites, could allow a malicious hacker to take over a Web server and get access to potentially millions of consumer credit-card numbers and addresses.
The first, a "blatant backdoor," is in the form of a password, "wemilo," which is easily identifiable in the code, says Mark Litchfield, a cofounder of Cerberus Information Security, based in London, who discovered the holes this week. Knowing the password would enable an attacker to modify the Web site and access customer passwords.
In addition, the software could easily allow someone to change a site's administration password remotely by going to a special Web address. "It's amazing how easy it was to change the password, to become the administrator," Litchfield says. "A 5-year-old could do it." A tech-support representative at McMurtrey/Whitaker & Associates, the Springfield, Mo., company that sells Cart32, said a patch for the hole would be delivered today or Monday but could offer no other details.
Other company representatives did not return repeated calls seeking further comment. Bryan Whitaker, cofounder of the company and author of Cart32, was quoted in an article on portal SecurityFocus.com as saying there are about 1,500 servers using the software, each hosting numerous e-commerce sites. He also said the password was created to allow tech-support staff to remotely access the software.
Customer service backdoor programs are fairly common, even if insecure, says Elias Levy, CTO at SecurityFocus. He points out, however, that there's no reason to have two remote password capabilities, as is the case with Cart32.
According to Litchfield, Cerberus had been charged with investigating the Cart32 log files on behalf of a client, in reference to a possible attack using the backdoor.
"It was easy to find," he says. "How many people out there know it exists and have been using it for their own purposes?" Litchfield recommends that Web shopping sites using Cart32 change the "wemilo" password to something else, and also change their settings so that only administrators will have access to the affected file. Cerberus has found 19 security problems in software from other vendors it has analyzed, including another shopping-cart product, but it has not released the information on those because no fixes are yet available, Litchfield said.
Cerberus tried to notify Cart32 about the matter before going public with the problem but couldn't reach company representatives in time, he says, adding that he would not have publicized the vulnerability if he hadn't first developed a fix for it. Litchfield says the fact that he was able to break into the two shopping-cart products he has analyzed makes him question the security of shopping-cart software in general, which enables faster online shopping by storing customer information about items being purchased as well as credit-card numbers.
"Anyone who has shopping-cart software, we'll break them," he says. "It's a bold statement to make, but when you've looked at two out of two and we (cracked) them in no time whatsoever, I would suggest many others will be insecure." Shopping-cart software came under criticism a year ago when an ISP discovered that many of the smaller e-commerce sites it hosted were improperly installing the software, leaving sensitive customer data vulnerable.