More than 100 e-commerce sites vulnerable to shopping cart flaw

Powered by SC Magazine
 

Lack of patching leaves companies exposed.

A list of more than a hundred online small businesses running vulnerable functions of shopping cart software osCommerce has been published online.

The vulnerable sites could have database passwords stolen and granted access to attackers.

Each contained a directory dubbed extras that had been identified as insecure in 2006 and removed from osCommerce versions.

It was introduced in the osCommerce Online Merchant download which assisted users to upgrade PHP and Perl scripts on their sites.

An insecure directory listing implementation meant those scripts allowed any file on the server to be read, including configuration files and database backups, if the location of the file was known.

The company said the scripts were not relevant to current releases and that users should remove them.

Many websites in the list were duplicates and three of the sites were Australian companies.

Context Information Security consultant Michael Jordon said the local file inclusion vulnerability allowed "for any file on the system to be read which could easily lead to a full compromise of the server" if for example attackers had found a data backup file.

“If the database is available from the internet, then it's game over,” he said.

He said the discovery of the vulnerability was not "particularly clever" and was likely found through Google search queries.

“The listed websites need to patch urgently and change all database connector credentials and then check that no credit card, personal data or passwords were in clear text in the database.”

This article originally appeared at scmagazineuk.com

 

Copyright © SC Magazine, UK edition


More than 100 e-commerce sites vulnerable to shopping cart flaw
 
 
 
Top Stories
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
 
IBM denies plans to cut 112k jobs
But admits to further restructuring.
 
ATO investigates 25 tech giants in tax hunt
Prepared to take tax evaders to court.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  36%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3055

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 971

Vote