(Vendor Issues Fix) Re: Virtual Programming's VP-ASP Shopping Cart Default Configuration May Disclose Internal Database (Including Credit Card Data) to Remote Users
|
|
SecurityTracker Alert ID: 1004500 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 10 2002
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: A configuration vulnerability was reported in the VP-ASP shopping cart. A remote user may be able to download the master database,
which may include unencrypted credit card details. A remote user may also be able to use default passwords to take full control
of the application.
It is reported that the default configuration of the shopping cart software is not secure.
According to the report, many users
of the software do not change the default login usernames and passwords ('vpasp/vpasp' or 'admin/admin'). This allows remote users
to login and take control of the commerce site using the following type of URL:
http://[host]/[vpasp dir]/shopadmin.asp
On
many systems, the default configuration and storage file is a Microsoft Access database named shopping400.mdb or shopping300.mdb
that is readable by remote users. The contents of the database, which includes customer and credit card details, is not encrypted
by default.
A remote user can, without any authentication, invoke the VP-ASP diagnostic tool 'shopdbtest.asp' to determine where
the database file is located, even if the location has changed. If the database file is still in its default configuration or is
still under the web root directory, the remote user can download the file without authentication
|
Impact: A remote user may be able to download the master database if it is still in its default configuration location. The database includes
credit card details that are, by default, not encrypted. A remote user may also be able to use default user account names and passwords
to take full control of the application.
|
Solution: The vendor has issued a fix. For more information, see the vendor's security information page at:
http://www.vpasp.com/virtprog/info/faq_security.htm
The
vendor has also issued a security supplement for customers:
http://www.vpasp.com/sales400/addons400.asp
|
Vendor URL: www.vpasp.com/ (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Windows (Any)
|
Reported By: "Virtual Programming" <support@vpasp.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 10 Jun 2002 12:49:11 +1000
From: "Virtual Programming" <support@vpasp.com>
Subject: Re: VP-ASP shopping cart software.
|
A number of issues have been raised regarding VP-ASP Shopping Cart
(www.vpasp.com) security.
I believe we have addressed all these issues but because it is of great
concern we have taken the following steps:
1. We have updated our security information page
www.vpasp.com/virtprog/info/faq_security.htm
2. We have created a security supplement that our customers can download but
hackers cannot unless they are also customers with more details on certain
aspects of security that we do not want to publicly post.
www.vpasp.com/sales400/addons400.asp
3. We have placed security links on our home page www.vpasp.com to make the
information more readily found.
4. We have updated our distribution files to include all known security
"holes".
I welcome additional feedback on any issues raised by yourself or in any
forum.
Howard Kadetz
VP-ASP
|
|
