Date: Fri, 23 Apr 1999 23:14:31 +0200 From: Bo Elkjaer <boo@DATASHOPPER.DK> To: BUGTRAQ@netspace.org Subject: Re: Shopping Carts exposing CC data This is my first post to Bugtraq so please bear with me for any errs and/or misconducts. I'd just like to point out, that Webcart is vulnerable too. Here goes: Mountain Network Systems Inc. http://www.mountain-net.com Platform: ? Exposed Directories: /config, /orders (and others. They're all listed in config-file) Exposed Order Info: orders.txt Exposed Config Info: mountain.cfg Number of exposed installs: 18+ at a quick glance. Probably more. PGP Option Available?: Unknown Status: Commercial, ranging from $399 to $4650. Bo Elkjaer, Denmark --------------------------------------------------------------------------- Date: Fri, 23 Apr 1999 17:15:00 -0700 From: Joe <joe@GONZO.BLARG.NET> To: BUGTRAQ@netspace.org Subject: Re: Shopping Carts exposing CC data On Fri, 23 Apr 1999, Bo Elkjaer wrote: > This is my first post to Bugtraq so please bear with me for any errs and/or > misconducts. > > I'd just like to point out, that Webcart is vulnerable too. > > Here goes: > > > Mountain Network Systems Inc. http://www.mountain-net.com > Platform: ? > Exposed Directories: /config, /orders (and others. They're all listed in > config-file) > Exposed Order Info: orders.txt > Exposed Config Info: mountain.cfg > Number of exposed installs: 18+ at a quick glance. Probably more. > PGP Option Available?: Unknown > Status: Commercial, ranging from $399 to $4650. > > > Bo Elkjaer, Denmark > Confirmed it, sent a heads-up to mountain-net. Worse, look for "import.txt" and "checks.txt" Import.txt includes every order ever made on the site in a tab-delimited format. *sigh* -- Joe H. Technical Support General Support: support@blarg.net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net --------------------------------------------------------------------------- Date: Sat, 24 Apr 1999 03:37:32 +0200 (CEST) From: Anonymous <nobody@replay.com> To: cypherpunks@toad.com Subject: Hole in Web Security E-commerce Boom Fueling Security Hole? http://www.thestandard.com/articles/display/0,1449,4307,00.html Expert Finds Hole in Shopping Carts http://www.zdnet.com/zdnn/stories/news/0,4586,2246537,00.html Expert Warns of Safety Glitch in Online-Shopping Software http://interactive.wsj.com/articles/SB924838677495215904.htm Online Credit Card Theft Reported http://www.latimes.com/HOME/BUSINESS/t000036381.1.html --------------------------------------------------------------------------- Date: Fri, 23 Apr 1999 22:57:45 -0500 From: hevnsnt <hevnsnt@BIGFOOT.COM> To: BUGTRAQ@netspace.org Subject: Re: Shopping Carts exposing CC data Sorry If already known, 1st post.. Even worse than this, check the Admin directory.. ugh. Seems as though you can configure the system without any type of password or authentication. *sigh* x2 -hevn --------------------------------------------------------------------------- Date: Sat, 24 Apr 1999 14:54:40 -0500 From: William Devine II <wdevine@BLUEGATE.COM> To: BUGTRAQ@netspace.org Subject: Re: FW: Shopping Carts exposing CC data (fwd from Mountain-Net Mountain Network Systems (www.mountain-net.com) makers of the WebCart system is a customer of ours. I received email from him after forwarding a copy of the messages on the bugtraq re: webcart. This is a reply I received from him. william Forwarded message: > From support@mountain-net.com Sat Apr 24 07:12:51 1999 > Date: Sat, 24 Apr 1999 07:11:41 -0500 > To: "William Devine, II" <william@crescentcon.com> > X-UIDL: 924983340.009 > From: support@mountain-net.com > Subject: Re: FW: Shopping Carts exposing CC data > > Hi William, > > Can you tell me where the signup is or just post this message. > > Good Day, > > We noticed your comment regarding one of our systems. Please be informed > that we clearly state in the manuals how to secure your website when using > the WebCart(r) system. If the website owner elects not to take these steps > information will be exposed. This is not a reflection of the software but > the level of protection the website/store owner wants to give their clients. > > In terms of professional conduct, if you find issues such as these you > should contact the store owner and inform them of this. Not post their > website to everyone in a mailist. You should also make sure you have all > related information prior to making such a bold statement. You have clearly > not read or had access to the manuals which describe in detail the steps to > take to > avoid this issue. > > Best Regards, > Dan > > At 17:07 4/23/99 -0500, you wrote: > > > > > >-----Original Message----- > >From: Bugtraq List [mailto:BUGTRAQ@netspace.org] On Behalf Of Bo Elkjaer > >Sent: Friday, April 23, 1999 4:15 PM > >To: BUGTRAQ@netspace.org > >Subject: Re: Shopping Carts exposing CC data > > > > > >This is my first post to Bugtraq so please bear with me for any errs and/or > >misconducts. > > > >I'd just like to point out, that Webcart is vulnerable too. > > > >Here goes: > > > > > >Mountain Network Systems Inc. http://www.mountain-net.com > >Platform: ? > >Exposed Directories: /config, /orders (and others. They're all listed in > >config-file) > >Exposed Order Info: orders.txt > >Exposed Config Info: mountain.cfg > >Number of exposed installs: 18+ at a quick glance. Probably more. > >PGP Option Available?: Unknown > >Status: Commercial, ranging from $399 to $4650. > > > > > >Bo Elkjaer, Denmark > > > > > > > > ------------------------------------------------------ > Mountain Network Systems, Inc. (281) 373-1196 > P.O. Box 1362 Cypress, TX 77429 > "Your Internet Programming Source" > > http://www.mountain-net.com > http://www.inet-domains.net > http://www.webstores.net > > ------------------------------ > Sales: sales@mountain-net.com > Support: support@mountain-net.com > ------------------------------ > > Specialist in Advanced Internet Systems . . . making your > website work for you all day everyday. > > Economist estimate a $200 billion online market by the > year 2000. Now is the time to transform your website > into a profit center! > ------------------------------------------------------ >