COMMAND

	Microsoft Site Server

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Megan Alexander posted following about Verifone vPOS, which  ships
    with  the  Microsoft  Site  Server,  partnered  as  an  evaluation
    version.  Here  are some other  interesting things about  vPOS and
    Site Server:

    1. In  addition to  the debug  log described  in CyberCash  bug on
       mUNIXes page,  the actual  Commerce Server  store also  has the
       ability to write  a very   lengthy logfile, called   ordinitbf,
       which can be added into the global.asa of the store, and called
       using a scriptor component.   Again, not very useful unless  an
       administrator turns on logging and never turns it off.

       Things included  in this  file include:  all shopper  info, all
       address  info  (billing  and   shipping),  credit  card   info,
       including name, exp, and number... you get the idea.  Note that
       Microsoft commerce server is  a product developed by  Microsoft
       for merchants wishing to establish a web-based storefront.  The
       file 'ordinitbf' is a microsoft file and is not related to  the
       functionality of the  the verifone vpos  product.  vPOS  has no
       interaction with the 'ordinibf' file.

    2. The  vPOS  service   cannot  be  started  automatically.    The
       encryption string MUST be  typed in at start-up.  This sequence
       cannot  be  automated.  Therefore,  if  a  server using vPOS is
       somehow  compromised  in  the  middle  of  the  night,  and  no
       administrator is there to restart the service, all transactions
       will fail until  the next time  the administrator restarts  the
       service.

    3. In order for vPOS to work with Microsoft Site Server  (Commerce
       Server 2.0), the Commerce Server version 1.0 component  wrapper
       must be used. In order  to trick the v1 component  wrapper into
       thinking that Site Server is really Merchant Server 1.0, A  LOT
       of registry entries must be made.

       Some of these registry  entries include the SQL  passwords, the
       NT  administrator  login   passwords,  etc.  Fun  for the whole
       family, and everything in plaintext.

SOLUTION

    Restricting  access  to  vulnerable  components  may  be solution.
    Regarding the  vpos engine  service, the  set 1.0  version of vPOS
    engine  service  can  be  started  automatically.   However,   the
    encryption string must be provided.