COMMAND

    Shopping cart

SYSTEMS AFFECTED

    Quickstore Shopping cart 2.00, 2.09.05, 2.05.10

PROBLEM

    Following is based on a Cgi Security Advisory #1.  This particular
    script has had  several past security  issues.  In  a few versions
    of  QuikStore's  Shopping  Cart  it  is  posible to read any world
    readable file  on the  server. One  such example  is that  someone
    could easily get  your password file  if it is  unshadowed.  Also,
    it's possible,  after the  passwords have  been cracked,  to steal
    credit card information (Yes it  does use pgp but some  admins may
    keep the key  on the same  system.  Yes  its very likely  it could
    happen.), or client personal information.

    The problem lies in  QuikStore.cgi itself.  The  following example
    (found below) grabs the cgi programs actual source code.  You  can
    imagine other ways  to exploit this.   Author decided not  to post
    the actual exploit so  he may be able  to save a few  sites from a
    *few* script  kiddies (although  a 2  year old  should be  able to
    figure it out).  Another  potential problem is that it  is posible
    to  read  configuration  files,  and  potentially  expose paths to
    sensitive files,  or information  which you  probably do  not want
    people to know about.

        http://somesite/cgi-bin/quikstore.cgi?page=../quikstore.cgi%00html&cart_id=

    (Grabs the cgi's source code)

    A lot of the ways attackers get into your network are through  the
    weakest link in the chain. If a server hosts 1,000 sites, and  you
    are able  to get  the password  file, it  is not  only possible to
    endanger your own website, but  all other websites located on  the
    same machine as yours.  BE CAREFUL WHAT YOU ALLOW FOR SCRIPTS.

SOLUTION

    The vendor has been  contacted and will issue  a fix soon.   NOTE:
    If you believe you are running a vulnerable version please contact
    your system administrator or ISP  or keep checking the vendor  for
    patches and upgrades.