Skip to main content /TECH with /TECH

IBM e-commerce servers vulnerable to hacks

Network World Fusion

(IDG) -- IBM this week posted an advisory on its Web site that alerted customers to a tool that could potentially decrypt administrator and customer passwords residing on servers that use some IBM e-commerce software.

The tool allows a hacker to decrypt and obtain passwords from sites that utilize macros used to conduct e-commerce transactions. Passwords of administrators and shoppers could be compromised via this tool, said the advisory.

The affected IBM e-commerce servers include Net.Commerce: v3.1, v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite: v4.1, v4.1.1; Net.Commerce Hosting Server: v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite, Service Provider Edition: v3.2; and WebSphere Commerce Suite, Market Place Edition: v4.1. The vulnerability is found on versions of these servers that run on several operating systems, including IBM's AIX, Microsoft's Windows NT and Sun Microsystems' Solaris. INFOCENTER
Related Stories
Visit an IDG site

According to IBM's advisory, administrators first need to verify whether the site has been exposed to the tool. This involves checking the site log for the possibility of a macro exposure to the tool. If a hack is verified, the next step involves eliminating the exposure, which includes changing administrator passwords and securing the macros used to conduct e-commerce transactions. Other recommendations from IBM include changing access permissions to directories and macros.

IBM said it issued the first security alert on this topic in November 1999. Recently, however, hackers released the tool to take advantage of the existing vulnerabilities, prompting the more recent advisory.

According to the Bugtraq mailing list on computer security vulnerabilities, IBM's e-commerce platforms support macro tools that do not properly validate requests in user-supplied input. If a request to a vulnerable script is made, the server can disclose sensitive system information, including results of arbitrary queries made to the e-commerce server database, according to Bugtraq. The hack also allows a hacker to obtain higher account privileges, Bugtraq said.

The mailing list further states that WebSphere Commerce Suite Version 5.1 is not vulnerable to the hack, as it uses different macro technology.

FBI warns companies about Russian hacker attacks
March 8, 2001
Deconstructing DoS attacks
March 7, 2001
Tech firms disagree on source of 'Naked Wife'
March 7, 2001
One year after DoS attacks, vulnerabilities remain
February 8, 2001
Microsoft Web sites suffer large scale blackout
January 24, 2001
Feds warn about rise in attacks against e-commerce sites
December 7, 2000
Exchange bug could be exploited for denial-of-service attacks
November 6, 2000

Top 5 encryption utilities
Users to IBM: Beef up your wares
(Network World Fusion)
FBI battles computer crime 'epidemic'
Congress readying privacy moves
World Economic Forum hacker suspect in custody
FBI warns businesses about Internet extortion schemes
(The Industry Standard)
Norton AntiVirus puts a lock on e-mail
(IDG News Service -
Can IT ban e-mail attachments?

Security Focus

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


4:30pm ET, 4/16

Back to the top