Xato Network Security, Inc.
                                www.xato.net

                      Security Advisory XATO-112000-01
                              November 9, 2000


           - MULTIPLE VULNERABILITIES WITH CART32 SHOPPING CART -


----------------------------------------------------------------------------

Systems Affected
================
Win32-based servers using Cart32 v3.5 and below.


Overview
========
The Cart32 shopping cart application from McMurtrey/Whitaker & Associates,
Inc. is vulnerable to a number of information leakage and other attacks.
Furthermore, common user misconfigurations and bad password encryption
make the application more vulnerable, possibly allowing a full compromise
of the server's security.


Details
=======
The Cart32 shopping cart application is a Win32 executable that resides
on a web server as cart32.exe and c32web.exe.  There are a number of
parameters that can be passed to these CGI applications that will reveal
server information, namely physical paths to the web root, physical
paths to the Windows directory, and physical paths to the program files
directory.  The following urls demonstrate this problem:

   http://www.example.com/cgi-bin/cart32.exe/error
   http://www.example.com/cgi-bin/c32web.exe/ShowAdminDir
   http://www.example.com/cgi-bin/c32web.exe/CheckError?error=53

Cart32 is also vulnerable to a denial of service attack that will jump
the processor to 100% usage by entering the following url:

   http://www.example.com/cgi-bin/c32web.exe/ShowProgress

Cart32 has issued an updated version 3.5a that addresses most of these
issues and has an updated version available at their web site
(www.cart32.com).

Another problem is that many people often (as set up by their ISP or
web hosting company) put the cart32.ini file in the same directory as
cart32.exe and c32web.exe.  If that file is in that directory and is
readable, then much more information can be revealed about the server,
especially if the Debug section exists in that file.  Cart32.ini contains
a lightly encrypted admin password and server configuration information.
The Debug section can contain plaintext passwords, server environment
variables, and other sensitive information.  The issue of leaving the
cart32.ini file has been publicly discussed in the past and Cart32 does
have a KB article about this issue but it is still a very common problem
as any search engine will reveal.  This issue does need to be readdressed,
especially considering the weakness of their encryption.

On November 6, 2000 Colin Hart and Cart32 issued a joint advisory (BID
195) addressing the issue of the weak encryption.  They also stated
that they will not be releasing the actual algorithm.  Because we do
not agree with the concept of security through obscurity, we have put
together this snippet of VBScript code to demonstrate how a password
can be unencrypted:

Cart32Decode = Chr(Asc(Mid(sPass, 8)) - 12) & _
               Chr(Asc(Mid(sPass, 5)) - 8) & _
               Chr(Asc(Mid(sPass, 3)) - 16) & _
               Chr(Asc(Mid(sPass, 15)) - 15) & _
               Chr(Asc(Mid(sPass, 9)) - 9) & _
               Chr(Asc(Mid(sPass, 1)) - 12) & _
               Chr(Asc(Mid(sPass, 4)) - 3) & _
               Chr(Asc(Mid(sPass, 11)) - 5) & _
               Chr(Asc(Mid(sPass, 13)) - 11) & _
               Chr(Asc(Mid(sPass, 6)) - 5) & _
               Chr(Asc(Mid(sPass, 2)) - 1) & _
               Chr(Asc(Mid(sPass, 2)) - 1) & _
               Chr(Asc(Mid(sPass, 14)) - 13) & _
               Chr(Asc(Mid(sPass, 12)) - 10) & _
               Chr(Asc(Mid(sPass, 10)) - 6) & _
               Chr(Asc(Mid(sPass, 7)) - 8)

As mentioned in Colin Hart's advisory, version 3.5a will fix this
problem.


Solution
========
Cart32 was first notified of these problems on August 28, 2000.  Cart32
has issued a version 3.5a release that addresses some of these issues
but not all of them.  If using Cart32 you should carefully read the
knowledge base articles available on their web site.


Commentary
==========
The real problem here isn't  that Cart32 has security problems, it is
that programmers often are the weakest link in a network's security.
Programmers want to open up doors, making it easier to use and debug
their applications.  Without proper security policy and training, you
get problems like those addressed above as well as other problems that
Cart32 has had in the past including hard-coded backdoor passwords.  If
a software developer does not value security, they will not take the
time to protect their users.  Another issue here is the encryption
algorithm being used.  The algorithm is based on obscurity not security
and the algorithm is known to the developers of Cart32.  That means
that any employee there would be able to unencrypt any admin password
they had access to.  I would prefer a more standard encryption that
could not be unencrypted by anyone, including employees of Cart32.
Unfortunately, any security expert could take any one of the thousands
of shopping cart applications available and find numerous holes.  Many
times these same applications are used by some very large companies.
To make things worse, ISP's and web hosting companies are engaging in
poor security practices and recommending those same practices to their
customers.  Until software developers take more steps to implement better
security practices, this problem will continue to grow.


Acknowledgements
================
Author: sozni (sozni@xato.net)
Thanks to: Royce, tgooat, xentury, D. Staheli, A. Shumway, M. Burnett

This document is located at:
http: //www.xato.net /reference /xato-112000-01.htm
http: //www.xato.net /reference /xato-112000-01.txt


Xato Network Security, Inc. is a Windows security consulting company
that specializes in securing Windows NT4 and Windows 2000 web servers.
We also provide code auditing services because secure web applications
are as important as all other aspects of network security.  Our programmers
are well trained in security practices as well as development methodologies
and can participate through all stages of the development process.  For
more information on our services please visit www.xato.net.

-----------------------------------------------------------------------

THE INFORMATION PROVIDED IN THIS ADVISORY IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. XATO NETWORK SECURITY, INC. DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF
MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.

COPYRIGHT (c) 2000 XATO NETWORK SECURITY, INC. ALL RIGHTS RESERVED.
-----------------------------------------------------------------------

Keywords:
Xato, Cart32, IIS, CGI, shopping cart, encryption, secure programming,
physical path, server information