Pages: [1] 2 3 4 5 6 7
Tags: ISP BENDIGOLIVE COM WEBAPP
  Author: Topic: Vulnerabilities in E-Cart
offline Pete
Last Visit:

Guest
 Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 05:57:16

Be careful NOT to use the E-Cart mod as it has a major flaw that lets hackers in. My complete site bendigolive.com was taken down by hackers who broke into the server via the E-Cart mod, then gained access to the entire server taking down all of the other sites held on it too. Further investigation led to a vulnerability in E-Cart and had my ISP refusing to put the webAPP site back up until the E-cart mod was removed at least.
Logged
     
offline Pete again
Last Visit:

Guest
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 05:59:31

This is the site my ISP gave to back up his story.
http://www.securityfocus.com... external link
Logged
     
offline TerryFletcher
Last Visit: 05/11/06

Level 2
Joined: 09/08/03
Forum Posts: 83
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 09:03:05

I have been told that the risk would not affect my site if I am strictly using E-Cart with PayPal. Any comments on this?



Still learning...
Logged
       
offline On
Last Visit: 05/20/06

Level 7
Dev
Joined: 06/19/03
Forum Posts: 6737
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 09:11:31

Thanks for the post Pete,

We have been aware of this exploit long time ago, we have also been discussing this type of attack some weeks ago. The conclusion was that the current and even the old security patches should be good enough to filter it out.

The distributor of this mode at:

http://www.yazaport.com... external link

is using web-app v. 0.9.8 which is about two years old and most likely lacks this security patch.  

What version web-app are you using?





"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
(Damian Conway from the book Perl Best Practices).



[*]LANGUAGE FILES (and language support) -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP SECURITY PATCHES -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP MODS (addons) -> http://www.web-app.net... external link  /perl/webapp/modapp/
[*]FOR THE LATEST VERSION OF STATSLOG script (security addon) -> http://www.mlapp.org... external link
[*]TO CONTACT ME CLICK HERE-> info@mlapp.org OR VISIT-> http://www.mlapp.org... external link
 


[/center]
Logged
       
offline TerryFletcher
Last Visit: 05/11/06

Level 2
Joined: 09/08/03
Forum Posts: 83
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 09:27:37

I have two sites - one has 0.9.9 and the other 0.9.9.1.
I'd like to use the E-Cart to sell some items on these two sites with payment being sent straight through PayPal.
I am also planning a new site and will use the brand new WebAPP version there.



Still learning...
Logged
       
offline On
Last Visit: 05/20/06

Level 7
Dev
Joined: 06/19/03
Forum Posts: 6737
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 14:55:50


TerryFletcher wrote:
I have two sites - one has 0.9.9 and the other 0.9.9.1.
I'd like to use the E-Cart to sell some items on these two sites with payment being sent straight through PayPal.
I am also planning a new site and will use the brand new WebAPP version there.



Would recommend you to upagrade to 0.9.9.2.1 it has plenty of new fixes and better patches.

Otherwise, basicly any mode that calls for "getcgi();" should be protected against  anyone of these exploites as well as many others.

getcgi();  calls for "sub getcgi" (filter) that is located within the subs.pl file. You may want to simply add the new subs.pl in you user-lib/ to have the newer filter.






"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
(Damian Conway from the book Perl Best Practices).



[*]LANGUAGE FILES (and language support) -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP SECURITY PATCHES -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP MODS (addons) -> http://www.web-app.net... external link  /perl/webapp/modapp/
[*]FOR THE LATEST VERSION OF STATSLOG script (security addon) -> http://www.mlapp.org... external link
[*]TO CONTACT ME CLICK HERE-> info@mlapp.org OR VISIT-> http://www.mlapp.org... external link
 


[/center]
Logged
       
offline Anton
Last Visit: 11/19/06

Level 5
Test
Joined: 03/07/02
Forum Posts: 875
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 18:11:07

So now I see what the www.... external link[b][/b]web-app.net /cgi-bin/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.datuname%20-a are all about.



My generic signature...
Logged
     
offline Jack Deth
Last Visit: 01/10/16

Administrator
Dev
Joined: 02/13/05
Forum Posts: 3723
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 18:44:13

SO what your saying here is...  E-Cart Mod is secure if your using it with 0.9.9.2.1 and up???

This could be good news...  can we confirm this?



Beta-Tester Extraordinaire.

Testing on various platforms and operating systems...

http://www.2xlnt.com... external link
http://www.themeapp.com... external link
Logged
       
offline Anton
Last Visit: 11/19/06

Level 5
Test
Joined: 03/07/02
Forum Posts: 875
 Re: Vulnerabilities in E-Cart
 Posted on: 05/06/05 at 20:15:01


SO what your saying here is...  E-Cart Mod is secure if your using it with 0.9.9.2.1 and up???

This could be good news...  can we confirm this?


If E-Cart is using getcgi sub then yes.



My generic signature...
Logged
     
offline On
Last Visit: 05/20/06

Level 7
Dev
Joined: 06/19/03
Forum Posts: 6737
 Re: Vulnerabilities in E-Cart
 Posted on: 05/07/05 at 00:37:09


Jack Deth wrote:
can we confirm this?



Simply click the link that anton posted:

www.... external link[b][/b]web-app.net /cgi-bin/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.datuname%20-a

Sorry Jos wink





"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
(Damian Conway from the book Perl Best Practices).



[*]LANGUAGE FILES (and language support) -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP SECURITY PATCHES -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP MODS (addons) -> http://www.web-app.net... external link  /perl/webapp/modapp/
[*]FOR THE LATEST VERSION OF STATSLOG script (security addon) -> http://www.mlapp.org... external link
[*]TO CONTACT ME CLICK HERE-> info@mlapp.org OR VISIT-> http://www.mlapp.org... external link
 


[/center]
Logged
       
offline Shaka_Flex
Last Visit: 12/21/06

Level 1
Test
Joined: 05/02/05
Forum Posts: 100
 Re: Vulnerabilities in E-Cart
 Posted on: 05/07/05 at 06:29:52


Anton wrote:
SO what your saying here is...  E-Cart Mod is secure if your using it with 0.9.9.2.1 and up???

This could be good news...  can we confirm this?
If E-Cart is using getcgi sub then yes.



Then E-Cart wasnt the exploit it was WebAPP that made the hole. E-Cart could execute the hole.

Some server companys have terned off my server till i put something other than WebAPP for the page. They even Recommend some webapp competitors, they said "Pick these, there Built for security."

I have talked with some Top Dog Security program experts that Say "If I was programing something like webapp that has been targeted as a hackers hacking Tool! I would use every security protection Perl has to offer in the next version, like more perl module usage, taint, est... Every bit of the code would be over halled and tested One sub at a time! Dont be like Micro$oft and patch a security hole with another security hole. Fix it the right way."

All I could say to him was. "Ya"



The power of SQL is stronger then the Flat File!
Stop being a Kid! Use the more stable Perl Modules.
What you think you can do better then an expert thats been using Perl longer then you?
Logged
       
offline On
Last Visit: 05/20/06

Level 7
Dev
Joined: 06/19/03
Forum Posts: 6737
 Re: Vulnerabilities in E-Cart
 Posted on: 05/07/05 at 09:44:58

I think that web-app is secured, there are some annoyance issues but they have also been handeled well especially with the recent releases.

Basicly I dont know of any other free cgi or php webportal out there that is more secure than web-app.

How could a web-app tainted help an insecured addon?

Can a user accuse linux or windows for extrernal products that are not being updated/compatible with new releases?










"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
(Damian Conway from the book Perl Best Practices).



[*]LANGUAGE FILES (and language support) -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP SECURITY PATCHES -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP MODS (addons) -> http://www.web-app.net... external link  /perl/webapp/modapp/
[*]FOR THE LATEST VERSION OF STATSLOG script (security addon) -> http://www.mlapp.org... external link
[*]TO CONTACT ME CLICK HERE-> info@mlapp.org OR VISIT-> http://www.mlapp.org... external link
 


[/center]
Logged
       
offline Jack Deth
Last Visit: 01/10/16

Administrator
Dev
Joined: 02/13/05
Forum Posts: 3723
 Re: Vulnerabilities in E-Cart
 Posted on: 05/07/05 at 11:11:20

Obviously there needs to be an article posted on the site publicising the E-Cart issue, and the fix for it...

which is an updated web-app that kicks butt...

as well E-Cart needs to be updated to use getcgi...

This Update needs to be VERY Public...



Beta-Tester Extraordinaire.

Testing on various platforms and operating systems...

http://www.2xlnt.com... external link
http://www.themeapp.com... external link
Logged
       
offline Shaka_Flex
Last Visit: 12/21/06

Level 1
Test
Joined: 05/02/05
Forum Posts: 100
 Re: Vulnerabilities in E-Cart
 Posted on: 05/07/05 at 11:15:20



On wrote:
Can a user accuse linux or windows for extrernal products that are not being updated/compatible with new releases?



If a product says its secure out of the box, but dosnt have the latest security technology built in. Forces lots of people to use external products if there Smart.

When people start to accuse the maker for ignores. Then people are disappointed in the product they truested.



The power of SQL is stronger then the Flat File!
Stop being a Kid! Use the more stable Perl Modules.
What you think you can do better then an expert thats been using Perl longer then you?
Logged
       
offline On
Last Visit: 05/20/06

Level 7
Dev
Joined: 06/19/03
Forum Posts: 6737
 Re: Vulnerabilities in E-Cart
 Posted on: 05/07/05 at 11:53:59

Not sure for what extent we should be hold responsible for extrenal addons, especialy when the distributors sell these products, eg.  E-Cart. However, its an intresting ethical issue!

One thing that is more obviouse is that we should maybe formulate some guidance for mods developers in which we could advice and guide them of taking certain steps to ensure that the mods are secure. Example: call for getcgi, link to web-app security updates etc.  I also think that we should have a list of mods that have been security checked and verfied to be safe and compatible with web-app.





"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
(Damian Conway from the book Perl Best Practices).



[*]LANGUAGE FILES (and language support) -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP SECURITY PATCHES -> http://www.mlapp.org... external link
[*]FOR THE LATEST WEB-APP MODS (addons) -> http://www.web-app.net... external link  /perl/webapp/modapp/
[*]FOR THE LATEST VERSION OF STATSLOG script (security addon) -> http://www.mlapp.org... external link
[*]TO CONTACT ME CLICK HERE-> info@mlapp.org OR VISIT-> http://www.mlapp.org... external link
 


[/center]
Logged
       
offline Jack Deth
Last Visit: 01/10/16

Administrator
Dev
Joined: 02/13/05
Forum Posts: 3723
 Re: Vulnerabilities in E-Cart
 Posted on: 05/07/05 at 12:11:12

Well, funny enough I noticed that E-Cart was listed in various places as being a FREE Add-on to web-app.

Since its free, it should be updated to use getcgi and put up for release here due to the fact that the "developers" havent done so yet...

Obviously they dont intend to update it due to the fact that they are working with their php-based projects and have obviously not released an update to this in a VERY long time, even though I am certain they are aware of the problem.

Responsible for external add-ons, NO...  responsible when it makes web-app look bad, and the developer of the add-on doesnt do a thing?  Monetarily NO, Informatively YES...

As for future mod devlopment...  a New Mod Tutorial needs to be made with getcgi and information on other various security updates and issue in web-app...

So, I could see the need to update the E-Cart mod as a service and to release a fixed version here as a service to the web-app community as a whole...  I highly doubt any of the E-Cart users paid for it...  so its not a cash issue...
As well, if it hasnt been removed... the call-back email should be removed as well...

On wrote:
Not sure for what extent we should be hold responsible for extrenal addons, especialy when the distributors sell these products, eg.  E-Cart. However, its an intresting ethical issue!

One thing that is more obviouse is that we should maybe formulate some guidance for mods developers in which we could advice and guide them of taking certain steps to ensure that the mods are secure. Example: call for getcgi, link to web-app security updates etc.  I also think that we should have a list of mods that have been security checked and verfied to be safe and compatible with web-app.





Beta-Tester Extraordinaire.

Testing on various platforms and operating systems...

http://www.2xlnt.com... external link
http://www.themeapp.com... external link
Logged
       

  Vulnerabilities in E-Cart
  Security
  Forums
  
Pages: [1] 2 3 4 5 6 7
Hop to: