A cautionary note for CCBill users

From:

SANS Critical Vulnerability Analysis
July 7, 2003 Vol. 2. No. 26

---

HIGH: CCBill whereami.cgi Remote Command Execution

Affected Products
CCBill current versions

Description
It has been reported that the "whereami.cgi" CGI program included with
the CCBill online payment software allows remote attackers to execute
arbitrary shell commands on the server. This vulnerability was reported
by an administrator investigating a server compromise, and it is not
yet clear whether the problem actually exists in the script shipped by
CCBill, or whether the copy of the script on the compromised host was
modified by attackers to contain a backdoor.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote compromise of systems running CCBill. Attackers would gain
the privileges of the web server process.

Deployment: Significant.
According to the vendor website, CCBill is a leader in online credit
card processing; and the CCBill software performs hundreds of millions
of dollars in transactions each year for customers worldwide.

Ease of Exploitation: Disputed.
One posting indicates that an attacker can simply pass shell commands
to the vulnerable CGI program as the value for the parameter "g" and
the commands will be executed. However, another posting disputes this
finding. Example web request to execute "ls" on the server:
http://[target]/ccbill/whereami.cgi?g=ls

Status: Not confirmed. The vendor has reportedly been notified but has
not responded.

References
Posting by Dayne Jordan
http://archives.neohapsis.com/archiv...3-07/0014.html

Postings by Tri Huynh and Andrew Simmons
http://lists.netsys.com/pipermail/fu...ly/010892.html
http://archives.neohapsis.com/archiv...3-07/0018.html
http://archives.neohapsis.com/archiv...3-07/0020.html

Posting by xtm (dispute)
http://archives.neohapsis.com/archiv...3-07/0017.html

Vendor Web Page
http://about.ccbill.com/

SecurityFocus BID
http://www.securityfocus.com/bid/8095

 

 

 

 

Top