========= Product: Interspire Shopping Cart ========= Problem: config/config.php MUST be httpd-readable (inter-domain read access permitted, which is a problem on shared hosting) ========= About product: What is Interspire Shopping Cart? Interspire Shopping Cart is the most feature rich, all-in-one shopping cart software available. It has an enterprise-grade feature set and is trusted by more than 15,000 businesses in over 65 countries. ========= Details: This software uses the permissions for config/config.php to determine the permissions for uploaded product image files.  Since images have to be readable by the web server user, the config/config.php file must also be readable by the web server user.  This means that for almost all shared hosting configurations, config/config.php is insecure -- by design.  You can set secure permissions on config.php, but this will invariably cause static images to be unreadable by the web server. Effectively this means that wherever you find Interspire shopping cart, you can take over administration as another user on the same system. ========= Vendor response: "I am aware of how hackers can read configuration files if they have an account on the same server. However, this is an issue for hosting companies, not for us. We are not mandating anything. It is just a fact that the large majority of hosting companies do not run suphp." "It does not look like we are going to agree on this. In my view, this is entirely a hosting related issue, one that can be "fixed" by modifying the config/config.php permissions." ========= Exploit: Look for /home/*/public_html/config/config.php file, or make a symlink to it and read it via the web server.  The interesting bits are ... $GLOBALS['ISC_CFG']["dbServer"] = 'localhost';        $GLOBALS['ISC_CFG']["dbUser"] = 'somedatabse_user';        $GLOBALS['ISC_CFG']["dbPass"] = 'somesecret';        $GLOBALS['ISC_CFG']["dbDatabase"] = 'somedatabase_name';        $GLOBALS['ISC_CFG']["tablePrefix"] = 'isc_';        Once you have database access, application authentication data is in the table isc_users (md5 auth if you want to google it, or you can set your own password and lock the regular user out). ========= Work-arounds: 1. Have a chat with your hosting company and ask them not to let anyone else on the server you are sharing be hacked.  (Recommended by vendor.) 2. In lib/init.php, the following HACK tells the software to ignore the permissions on config/config.php.  After this you can set the permissions securely without breaking the application:        //define('ISC_WRITEABLE_FILE_PERM', fileperms(ISC_CONFIG_FILE));        //define('ISC_WRITEABLE_DIR_PERM', fileperms(dirname(ISC_CONFIG_FILE)));        define('ISC_WRITEABLE_FILE_PERM', 0644);        define('ISC_WRITEABLE_DIR_PERM', 0755); 3. Use other software (e.g. oscommerce, ha ha :) 4. Unpredictable DocumentRoot will help. Chroot of other users will seem to help, provided symbolic links are not permitted.