COMMAND

    iHTML Merchant

SYSTEMS AFFECTED

    iHTML Merchant for Unix/Windows 95/98/NT

PROBLEM

    Following  is  based  on  Team  Asylum  Security  Advisory.  iHTML
    Merchant,  written  by  Inline   Internet  Systems  Inc.,  is   an
    e-commerce solution programmed  in iHTML which  allows complicated
    web programming tasks  to be done  by anyone with  basic knowledge
    of  HTML  and  their  web  server  of  choice.   Over 2,700 online
    merchants run iHTML Merchant.   In turn, they can run  dozens more
    stores off that single product.

    Team Asylum has  discovered a vulnerability  that exists in  iHTML
    Merchant which  would allow  a malicious  hacker to  (at the  very
    least) view  the protected  files in  the website's administrative
    section,  giving  the  attacker  the  ability  to view credit card
    information.   If  the  iHTML  Merchant  is  being  run on Windows
    95/98/NT the vulnerability is much more severe.  The vulnerability
    exists in how iHTML Merchant parses code.  The attacker could:

        1) Delete any file on the server
        2) Write a file to any folder on the server.
        3) Upload a trojan.
        4) Steal credit card numbers, and other hidden information.

    If the iHTML Merchant is being run on UNIX, the possibility exists
    that  the  web  site  could  be  altered.   These findings reflect
    the default settings for 95/98/NT and iHTML Merchant.

SOLUTION

    Inline Internet  Systems has  released patches  for the  "feedback
    vulnerability" in iHTML Merchant.  Patches:

        http://www.ihtmlmerchant.com/support_patches_feedback.htm

    Advisory:

        http://www.team-asylum.com/advisories/files/09-16-99-ihtml.txt

    Below  is  a  temporary  fix  that  can  be  integrated with iHTML
    Merchant:

    <iEQ name="brac" value=<iSTRIN SRC=":email" DST="<">>
    <iIF NOTCOND=<iSTRNICMP SRC=:brac DST="0">>
    For security reasons, your message was not sent.<br>Please verify that you
    entered your email address correctly, by going <a
    href="javascript:history.back(1)">back</a><br>
    <iinclude name="template/footer.ihtml">
    <iSTOP>
    </iIF>