IBM e-commerce servers vulnerable to hacks
(IDG) -- IBM this week posted an advisory on its Web site that alerted customers to a tool that could potentially decrypt administrator and customer passwords residing on servers that use some IBM e-commerce software.
The tool allows a hacker to decrypt and obtain passwords from sites that utilize macros used to conduct e-commerce transactions. Passwords of administrators and shoppers could be compromised via this tool, said the advisory.
The affected IBM e-commerce servers include Net.Commerce: v3.1, v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite: v4.1, v4.1.1; Net.Commerce Hosting Server: v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite, Service Provider Edition: v3.2; and WebSphere Commerce Suite, Market Place Edition: v4.1. The vulnerability is found on versions of these servers that run on several operating systems, including IBM's AIX, Microsoft's Windows NT and Sun Microsystems' Solaris.
According to IBM's advisory, administrators first need to verify whether the site has been exposed to the tool. This involves checking the site log for the possibility of a macro exposure to the tool. If a hack is verified, the next step involves eliminating the exposure, which includes changing administrator passwords and securing the macros used to conduct e-commerce transactions. Other recommendations from IBM include changing access permissions to directories and macros.
IBM said it issued the first security alert on this topic in November 1999. Recently, however, hackers released the tool to take advantage of the existing vulnerabilities, prompting the more recent advisory.
According to the Bugtraq mailing list on computer security vulnerabilities, IBM's e-commerce platforms support macro tools that do not properly validate requests in user-supplied input. If a request to a vulnerable script is made, the server can disclose sensitive system information, including results of arbitrary queries made to the e-commerce server database, according to Bugtraq. The hack also allows a hacker to obtain higher account privileges, Bugtraq said.
The mailing list further states that WebSphere Commerce Suite Version 5.1 is not vulnerable to the hack, as it uses different macro technology.
FBI warns companies about Russian hacker attacks
RELATED IDG.net STORIES:
Top 5 encryption utilities
Study: Gadget sales flat
Protest slams Dell's use of prison labor
Steve Jobs keeps Apple in the limelight
N. Y. plans to heal skyline
Stocks rise on Case departure
Lieberman's presidential announcement today
New arrests may be linked to UK ricin scare
Jordan says farewell for the third time
Shaq could miss playoff game for child's birth
Ex-USOC official says athletes bent drug rules
|Back to the top|