[LWN Logo]
[Timeline]
Date:         Mon, 20 Nov 2000 19:03:14 -0500
From: "admin@cgisecurity.com" <admin@CGISECURITY.COM>
Subject:      Cgisecurity Quickstore Shopping cart
To: BUGTRAQ@SECURITYFOCUS.COM

Now i already released this on my site but i forgot to post to bugtraq somehow.
Vendor was contacted and i waited awhile for a response and got none back.
Upgrade to the newest version for a fix.

-zenomorph

(ps. check bugtraq for older holes in the same product)




                        [Cgi Security Advisory #1]
                          admin@cgisecurity.com
                         Quikstore Shopping Cart



Problem first discovered
September 2000

Public release
October 2000

Script effected: QuikStore Shopping Cart
(www.quikstore.com)

Known versions effected:
Version: 2.00
Version: 2.09.05
Version: 2.09.10
Possible other versions. Those listed above are confirmed.


Platforms:
Unix
NT


1. Past problems

This particular script has had several past security issues.
Check bugtraq or www.securityfocus.com for further details.


2. Problem

In a few versions of QuikStore's Shopping Cart it is posible to
read any world readable file on the server. One such example is that
someone could easily get your password file if it is unshadowed. Also,
it's possible, after the passwords have been cracked, to steal credit card
information(Yes it does use pgp but some admins may keep the key on the
same system. Yes its very likely it could happen.) ,or client personal
information.

The problem lies in QuikStore.cgi itself. The following example (found
below) grabs the cgi programs actual source code. You can imagine other
ways to exploit this. I decided not to post the actual exploit so I may be
able to save a few sites from a *few* script kiddies (although a 2 year
old should be able to figure it out). Another potential problem is that it
is posible to read configuration files, and potentially expose paths to
sensitive files, or information which you probably do not want people to
know about.

http://somesite/cgi-bin/quikstore.cgi?page=../quikstore.cgi%00html&cart_id=
(Grabs the cgi's source code)



3. More problems

A lot of the ways attackers get into your network are through the weakest
link in the chain. If a server hosts 1,000 sites, and you are able to get
the password file, it is not only possible to endanger your own website,
but all other websites located on the same machine as yours.
BE CAREFUL WHAT YOU ALLOW FOR SCRIPTS.



4. Fixes

The vendor has been contacted and will issue a fix soon.
NOTE: If you believe you are running a vulnerable version please
contact your system administrator or ISP or keep checking the vendor
for patches and upgrades.





Published to the Public October 30th 2000
Copyright September 2000 Cgisecurity.com