IBM on Wednesday posted an advisory on its Web site that alerted customers to a tool that could potentially decrypt administrator and customer passwords residing on servers that use some IBM e-commerce software.
The tool, SUQ.DIQ version 1.00, allows a hacker to decrypt and obtain passwords from sites that utilise macros used to conduct e-commerce transactions. Passwords of administrators and shoppers could be compromised via this tool, said the advisory.
The affected IBM e-commerce servers include Net.Commerce: v3.1, v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite: v4.1, v4.1.1; Net.Commerce Hosting Server: v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite, Service Provider Edition: v3.2; and WebSphere Commerce Suite, Market Place Edition: v4.1. The vulnerability is found on versions of these servers that run on several operating systems, including IBM's AIX operating system, Microsoft's Windows NT and Sun Microsystems' Solaris OS.
According to IBM's advisory, administrators first need to verify whether the site has been exposed to the tool. This involves checking the site log for the possibility of a macro exposure to the tool. If a hack is verified, the next step involves eliminating the exposure, which includes changing administrator passwords and securing the macros used to conduct e-commerce transactions. Other recommendations from IBM include changing access permissions to directories and macros.
According to the Bugtraq mailing list on computer security vulnerabilities, IBM's e-commerce platforms support macro tools that do not properly validate requests in user-supplied input. If a request to a vulnerable script is made, the server can disclose sensitive system information, including results of arbitrary queries made to the e-commerce server database, according to Bugtraq. The hack also allows a hacker to obtain higher account privileges, Bugtraq said.
The mailing list further states that WebSphere Commerce Suite Version 5.1 is not vulnerable to the hack as it uses different macro technology.
IBM couldn't immediately be reached for comment.
The Bugtraq mailing list can be accessed at http://www.securityfocus.com/. The advisory is available at http://www-4.ibm.com/software/webservers/commerce/servers/2001-2.htm.
