Password exposed in Click Frenzy security slip

Password exposed in Click Frenzy security slip

Summary: The username, password, and IP address for the Click Frenzy back-end database were visible to the entire internet for hours.

SHARE:

At the Melbourne office of Fontis, the developer of the Click Frenzy website, the phone is answered with a recorded message proclaiming the company "Australia's premiere Magento enterprise partner." Its blog includes a definitive installation guide for the e-commerce system. Yet a basic Magento configuration error left important security information exposed to the world.

The entire Magento directory of the Click Frenzy website was left world readable, including configuration files containing details such as the internet protocol (IP) address of its database server, and the log-in username and password.

The problem was first brought to ZDNet's attention shortly after 9 a.m. AEDST this morning by penetration tester Darren Arnott, principal consultant with information security company Trusted Impact.

By mid morning, it was clear that others had found the problem, as the URLs of key configuration files were also being passed around by developers and systems administrators, who were curious about Click Frenzy's architecture and the causes of its failure last night.

Arnott discovered the problem while trying to access the overloaded website. "Like everyone else, I had a family behind me trying to connect," he said.

"I'm aware that a default Magento installation will often leave directories exposed. On previous experience with other sites that had this issue, as well as database usernames and passwords, it can expose things such as the browser session ID, making session hijacking possible."

Depending on the particular configuration, it can also expose customers' personal information, such as name, address, and email address, as well as purchase histories.

In Click Frenzy's case, a 10-megabyte system log file was exposed, as well as a CSV file named catalog_product.csv.

"They obviously didn't follow the standard best practice for hardening the application," said web developer Brendan Sainsbury from Intermediary Contracting, who includes Magento in his toolkit.

"If they're working in an e-commerce environment, these are the things you cover off, the things that you have to do," Sainsbury told ZDNet.

"Even if they had to rapidly deploy to another environment, [transferring an archive] carries across the file permissions."

Chris Gatford, director of penetration-testing firm HackLabs, isn't surprised that this error was discovered.

"The project sounds more successful than they had anticipated. Any fast, furious, and unplanned move to a new platform can often have some serious security consequences," he told ZDNet.

Gatford said that three to four out of every 10 penetration tests conducted by his firm reveal exposed passwords in default locations.

"You can have all the skills and all the experience in a specific platform, but you do need a third-party check-over to get some comfort," he said.

Fontis declined to comment on the incident, although it appears that access controls on the Click Frenzy website have been revised since ZDNet contacted the company.

Topics: Security, E-Commerce, Australia

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Magento

    On behalf of Fontis, I acknowledge that for a period during the Click Frenzy event, a configuration issue on a set of servers hosting the website existed for a period of time, which allowed certain application files to be made accessible if a user could deliberately locate them.

    This accessibility did not lead to any form of security breach, and the servers in question were not compromised in any way. The database server credentials to which the article refers were for a private database server which was not publicly accessible. The CSV import file contained only listing data which was used to populate the public deal listing pages, and did not include any data that wasn’t already intended for publication.

    Further, no personal information was ever put at risk. At no stage was any personal information collected and stored on the servers used for the Click Frenzy website. Session hijacking was also a non-issue in this instance as sessions had been disabled given that the site comprised of static content only.

    We have now completed a review of the circumstances that allowed the configuration issue to occur and are in the process of implementing changes to ensure that a similar mistake cannot be made in future. We’ve provided the full technical details and discussion of the issue that led to the disclosure on our blog, and have released an accompanying patch and details of how Magento can be restructured to eliminate the possibility of this type of issue from occurring in the first place. We would urge other Magento users to review the changes and consider whether they might be appropriate for their own sites.

    Lloyd Hazlett
    Fontis
    fontis
  • One way of leaving the back doors hanging off the hinges...

    If you installed Magento via any other method than the downloader, then when you come to use Magento Connect, you will find that you are unable to due to permissions. For Magento Connect to work, all folders must have 777 permissions.

    If you have SSH access to your server, you can fix this by running the following command:

    find ./ –type d –exec chmod 777 {} \;

    If you don't have SSH access you could try a php based SSH emulator instead.

    The other option is to use Filezilla 3 to recursively chmod the files for you. This can take a little while to run, but at least you don't have to do it manually!
    Boomslang