[Cgi Security Advisory #1] admin@cgisecurity.com Quikstore Shopping Cart Problem first discovered September 2000 Public release October 2000 Script effected: QuikStore Shopping Cart (www.quikstore.com) Known versions effected: Version: 2.00 Version: 2.09.05 Version: 2.09.10 Version: 3.0 Possible other versions. Those listed above are confirmed. Platforms: Unix NT 1. Past problems This particular script has had several past security issues. Check bugtraq or www.securityfocus.com for further details. 2. Problem In a few versions of QuikStore's Shopping Cart it is posible to read any world readable file on the server. One such example is that someone could easily get your password file if it is unshadowed. Also, it's possible, after the passwords have been cracked, to steal credit card information(Yes it does use pgp but some admins may keep the key on the same system. Yes its very likely it could happen.) ,or client personal information. The problem lies in QuikStore.cgi itself. The following example (found below) grabs the cgi programs actual source code. You can imagine other ways to exploit this. I decided not to post the actual exploit so I may be able to save a few sites from a *few* script kiddies (although a 2 year old should be able to figure it out). Another potential problem is that it is posible to read configuration files, and potentially expose paths to sensitive files, or information which you probably do not want people to know about. http://somesite/cgi-bin/quikstore.cgi?page=../quikstore.cgi%00html&cart_id= (Grabs the cgi's source code) 3. More problems A lot of the ways attackers get into your network are through the weakest link in the chain. If a server hosts 1,000 sites, and you are able to get the password file, it is not only possible to endanger your own website, but all other websites located on the same machine as yours. BE CAREFUL WHAT YOU ALLOW FOR SCRIPTS. 4. Fixes The vendor has been contacted and will issue a fix soon. NOTE: If you believe you are running a vulnerable version please contact your system administrator or ISP or keep checking the vendor for patches and upgrades. Published to the Public October 30th 2000 Copyright September 2000 Cgisecurity.com