COMMAND

    CyberOffice Shopping Cart

SYSTEMS AFFECTED

    CyberOffice Shopping Cart v2

PROBLEM

    Following is based on a Delphis Consulting Security Team  Advisory
    DST2K0035.   Delphis  Consulting  Internet  Security  Team (DCIST)
    discovered  the  following  vulnerability  in CyberOffice Shopping
    Cart v2 under Windows NT.

    It is  possible with  default installations  (according to  vendor
    instructions) of CyberOffice to gain access to the database  which
    holds  information  on  customer  orders,  details and credit card
    information.  This data is held in an unprotected and un-encrypted
    Microsoft Access Database.  Example:

        http://127.0.0.1/_private/shopping_cart.mdb

    By default the _private directory is world readable and accessable
    by any anonymous web users.  The vendor does however state in  the
    documentation  that  the  /_private/   directory  should  not   be
    browsable  (i.e.  if  the  file  name  is  known  it  can still be
    downloaded).

SOLUTION

    Currently Delphis recommend the following:

        o Within  IIS (Internet  Information Server)  manager set  the
          directory  permissions  to  write  but  NOT read.  This will
          enable  users  to  update  the  database  as required by the
          application but not be able to download it.
        o Migrate from Access to SQL

    SmartWin  is  aware  of  the  problem  from the begining since the
    release of the  program.  It  is a shame  that FrontPage does  not
    automatically  disable  /_private  from  browsing.   In all of our
    documents we have stressed this  point enough to cause the  ISP to
    take action to protect the folder.   Because it is the ISP who  is
    required  to  ultimately  fix  the  problem,  the  installation is
    powerless in that regard.

    In addition to the solutions you  have given.  These are the  more
    common actions:

        1) Use IIS Managemant  Console to disable the  Read permission
           on the folder (done by ISP)
        2) Use  FrontPage Explorer  to disable  the folder  from being
           browsed (done by the Web master)
        3) Move  the database  to /fpdb  (the database  folder used by
           newer versions of FrontPage).

    How to  protect databases  from being  directly downloaded  is the
    problem  that  every  ISP   faces  everyday.   SmartWin  has given
    sufficient warning toward this issue.  It should NOT be classified
    as CyberShop's problem.