On-Prem

This article is more than 1 year old

Another shopping-cart back door revealed

Sloppy code continues to make CC hacking child's play

Thu 4 May 2000 // 17:17 UTC

British Net security outfit Cerberus has discovered a backdoor password in the McMurtrey-Whitaker Win32 shopping cart.

The executable cart32.exe has coded into it a weak password which can be used to view other passwords, enabling an attacker to modify the cart to run arbitrary commands on a server, and so easily gain access to customers' credit card details.

A second weakness enables an intruder to change the admin password without knowing the current one. Both holes were the result of McMurtrey-Whitaker's desire to facilitate customer support by enabling the recovery of lost passwords, company support technician Lauren Willard told The Register. Those features were not available to customers and not documented, Willard said.

In its haste to gain notoriety in an age of hacking media-hype, Cerberus posted an advisory which identifies the password and explains in detail how best to exploit both holes.

It also suggests a possible fix, recommending that customers open the executable with a hex editor and replace the default password with one of their choosing. To accommodate the technically squeamish, L0pht Heavy Industries has hacked out a quick, self-executing patch to make changing the password easy.

To accommodate the paranoid, they have also posted the source code. Cerberus posted its advisory without first contacting McMurtrey-Whitaker, normally a standard practice. "Due to the severity and seriousness of this issue, Cerberus has taken the rare step of making this information publicly available before the vendor has provided a patch," the company says. Yeah, right. It wouldn't be serious if Cerberus hadn't splashed it all over the web.

We call it low exploitation and cheap self-promotion. The advisory doesn't heighten security, but actually jeopardises it, Willard notes. McMurtrey-Whitaker will distribute a new build with all its holes bunged on Friday or Monday, she said. ®

More about

Hacking

More about

Hacking

Broader topics

More about

Hacking

More about

Hacking

Broader topics

TIP US OFF

Send us news

Topics

Special Features

Vendor Voice

Resources

On-Prem

Another shopping-cart back door revealed

Sloppy code continues to make CC hacking child's play

More about

More about

Broader topics

More about

More about

More about

Broader topics

TIP US OFF

Other stories you might like

X's Grok AI is great – if you want to know how to hot wire a car, make drugs, or worse

Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job

Hackers mod a Sony PlayStation Portal to run PSP games

Reducing the cloud security overhead

Wikileaks source and former CIA worker Joshua Schulte sentenced to 40 years jail

Tesla hacks make big bank at Pwn2Own's first automotive-focused event

Think tank report labels NSO, Lazarus as 'cyber mercenaries'

Red Cross lays down hacktivism law as Ukraine war rages on

CLI-beautifying ANSI escape sequences can also make your log files a security threat

Tesla hackers turn to voltage glitching to unlock paywalled features

Unsealed: Charges against Russians blamed for Mt Gox crypto-exchange collapse

Some potential: How bad software updates could over-volt, brick remote servers

About Us

Our Websites

Your Privacy