Yesterday, CNET's News.Com site reported major security hole on certain Internet auction sites. A security breach could be performed on these sites by manipulating a simple URL. Today, Hackwatch is reporting a similar security hole in software which is being used by a prominent Irish E-commerce website. However despite the information revealed by the hole, gaining access to the actual creditcard details and other data stored on the database is a more complex issue.

The security hole was discovered by Mark O'Neill, who runs an Internet Software Company called Delphium Technologies. While ordering a product on an Irish Ecommerce site, he noticed that by manipulating a simple URL, he could get full access to the database username, database password, and database schema of the site. Armed with this information, a skilled hacker could theoretically retrieve credit card details. In the spirit of ethical hacking, Mark sent an email message to the company informing them of the security hole. Though the file was still accessible at the time of writing, apparently the problem is now being looked into. The security flaw can be fixed by properly setting the permissions on the directory in which the scripts are stored so that they cannot be read remotely. The only thing that should be possible is remote execution of the scripts.

The software in question is Mercantyle from Tryptych Systems Ltd. When used correctly this software is secure. However, when used incorrectly it allows the source code of scripts to be readable on the web. Astonishingly, Tryptych’s demo of the program on their website contains the security hole. By browsing to http://194.217.205.29 you see their demo, but by changing the URL to http://194.217.205.29/Live/scripts/home.htx you see the source code for the script which generated the page.

In the case of Tryptych’s demo, this information is not sensitive, but in the case of the Irish Ecommerce site the information is potentially very dangerous since it could expose information about their database to the world.

Ironically, the Irish site uses SSL for security. This illustrates the perils of Checkbox Security (“We have SSL so it must be secure”). The analogy of the large wall in front of a house with the back door wide open is especially appropriate here.

Interestingly, manipulating a URL to access a site is unlawful according to Ireland’s Criminal Damage Act (1991), providing that an acceptable usage policy is displayed on the site. The precedent case is Touchtel vs Kompass . There is an Irish Times article on the subject.

In the case of the web site in question here, no usage policy was displayed. A similar lack of usage policy led to the dismissal in the Dublin Circuit because, according to the Irish Times article, the judge ruled that the information obtained was already publicly available, and there were no restrictions or limitations printed on the Website saying how it should be used.

We are not naming the site in question since:a) we do not want to encourage malevolent hacking, and; b) they already know who they are. However, we are publishing this article because a number of lessons can be learned. These are:

1. Do not rely on one form of security for your site. Just because you have SSL installed does not mean your site is inherently secure.
   
   
2. Post an acceptable-usage notice on your website to deter people from manipulating your URLs.
   
   
3. Do not expect software to be secure “out of the box”. Make sure that you follow the vendor’s instructions and configure it correctly. This is especially true then you are using Windows NT as a server platform.
   
   
4. When you are notified of a security hole on your site - Act On It Immediately!

Top