Date: Fri, 23 Apr 1999 23:14:31 +0200
From: Bo Elkjaer <boo@DATASHOPPER.DK>
To: BUGTRAQ@netspace.org
Subject: Re: Shopping Carts exposing CC data

This is my first post to Bugtraq so please bear with me for any errs and/or
misconducts.

I'd just like to point out, that Webcart is vulnerable too.

Here goes:


Mountain Network Systems Inc. http://www.mountain-net.com
Platform: ?
Exposed Directories: /config, /orders (and others. They're all listed in
config-file)
Exposed Order Info: orders.txt
Exposed Config Info: mountain.cfg
Number of exposed installs: 18+ at a quick glance. Probably more.
PGP Option Available?: Unknown
Status: Commercial, ranging from $399 to $4650.


Bo Elkjaer, Denmark

---------------------------------------------------------------------------

Date: Fri, 23 Apr 1999 17:15:00 -0700
From: Joe <joe@GONZO.BLARG.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Shopping Carts exposing CC data

On Fri, 23 Apr 1999, Bo Elkjaer wrote:

> This is my first post to Bugtraq so please bear with me for any errs and/or
> misconducts.
>
> I'd just like to point out, that Webcart is vulnerable too.
>
> Here goes:
>
>
> Mountain Network Systems Inc. http://www.mountain-net.com
> Platform: ?
> Exposed Directories: /config, /orders (and others. They're all listed in
> config-file)
> Exposed Order Info: orders.txt
> Exposed Config Info: mountain.cfg
> Number of exposed installs: 18+ at a quick glance. Probably more.
> PGP Option Available?: Unknown
> Status: Commercial, ranging from $399 to $4650.
>
>
> Bo Elkjaer, Denmark
>

Confirmed it, sent a heads-up to mountain-net.  Worse, look for
"import.txt" and "checks.txt"  Import.txt includes every order ever made
on the site in a tab-delimited format.

*sigh*

--
Joe H.                                  Technical Support
General Support:  support@blarg.net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

---------------------------------------------------------------------------

Date: Sat, 24 Apr 1999 03:37:32 +0200 (CEST)
From: Anonymous <nobody@replay.com>
To: cypherpunks@toad.com
Subject: Hole in Web Security

E-commerce Boom Fueling Security Hole?
http://www.thestandard.com/articles/display/0,1449,4307,00.html

Expert Finds Hole in Shopping Carts
http://www.zdnet.com/zdnn/stories/news/0,4586,2246537,00.html

Expert Warns of Safety Glitch in Online-Shopping Software
http://interactive.wsj.com/articles/SB924838677495215904.htm

Online Credit Card Theft Reported
http://www.latimes.com/HOME/BUSINESS/t000036381.1.html

---------------------------------------------------------------------------

Date: Fri, 23 Apr 1999 22:57:45 -0500
From: hevnsnt <hevnsnt@BIGFOOT.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Shopping Carts exposing CC data


Sorry If already known, 1st post..

Even worse than this, check the Admin directory.. ugh.   Seems as though you
can configure the system without any type of password or authentication.
*sigh* x2

-hevn

---------------------------------------------------------------------------

Date: Sat, 24 Apr 1999 14:54:40 -0500
From: William Devine II <wdevine@BLUEGATE.COM>
To: BUGTRAQ@netspace.org
Subject: Re: FW: Shopping Carts exposing CC data (fwd from Mountain-Net

Mountain Network Systems (www.mountain-net.com) makers of the
WebCart system is a customer of ours.  I received email from him after
forwarding a copy of the messages on the bugtraq re: webcart.
This is a reply I received from him.

william

Forwarded message:
> From support@mountain-net.com  Sat Apr 24 07:12:51 1999
> Date: Sat, 24 Apr 1999 07:11:41 -0500
> To: "William Devine, II" <william@crescentcon.com>
> X-UIDL: 924983340.009
> From: support@mountain-net.com
> Subject: Re: FW: Shopping Carts exposing CC data
>
> Hi William,
>
> Can you tell me where the signup is or just post this message.
>
> Good Day,
>
> We noticed your comment regarding one of our systems. Please be informed
> that we clearly state in the manuals how to secure your website when using
> the WebCart(r) system. If the website owner elects not to take these steps
> information will be exposed. This is not a reflection of the software but
> the level of protection the website/store owner wants to give their clients.
>
> In terms of professional conduct, if you find issues such as these you
> should contact the store owner and inform them of this. Not post their
> website to everyone in a mailist. You should also make sure you have all
> related information prior to making such a bold statement. You have clearly
> not read or had access to the manuals which describe in detail the steps to
> take to
> avoid this issue.
>
> Best Regards,
> Dan
>
> At 17:07 4/23/99 -0500, you wrote:
> >
> >
> >-----Original Message-----
> >From: Bugtraq List [mailto:BUGTRAQ@netspace.org] On Behalf Of Bo Elkjaer
> >Sent: Friday, April 23, 1999 4:15 PM
> >To: BUGTRAQ@netspace.org
> >Subject: Re: Shopping Carts exposing CC data
> >
> >
> >This is my first post to Bugtraq so please bear with me for any errs and/or
> >misconducts.
> >
> >I'd just like to point out, that Webcart is vulnerable too.
> >
> >Here goes:
> >
> >
> >Mountain Network Systems Inc. http://www.mountain-net.com
> >Platform: ?
> >Exposed Directories: /config, /orders (and others. They're all listed in
> >config-file)
> >Exposed Order Info: orders.txt
> >Exposed Config Info: mountain.cfg
> >Number of exposed installs: 18+ at a quick glance. Probably more.
> >PGP Option Available?: Unknown
> >Status: Commercial, ranging from $399 to $4650.
> >
> >
> >Bo Elkjaer, Denmark
> >
> >
> >
>
> ------------------------------------------------------
> Mountain Network Systems, Inc.     (281) 373-1196
> P.O. Box 1362                      Cypress, TX 77429          
> "Your Internet Programming Source"
>
> http://www.mountain-net.com           
> http://www.inet-domains.net
> http://www.webstores.net
>
>              ------------------------------
> Sales:       sales@mountain-net.com
> Support:     support@mountain-net.com
>              ------------------------------
>
> Specialist in Advanced Internet Systems . . . making your
> website work for you all day everyday.
>
> Economist estimate a $200 billion online market by the
> year 2000.  Now is the time to transform your website
> into a profit center!
> ------------------------------------------------------
>