 |
||||
 | |
| ||
|
||||
| ||||
|
|
||||
Careers
Convergence
Data Center
LANs
Net/Systems Mgmt.
NOSes
Outsourcing
Routers/Switches
Security
Service Providers
Small/Med.
Storage
WAN Services
Web/e-commerce
Wireless/Mobile
Newsletters
This Week in NW
Tests/Reviews
Buyer's Guides
Opinion
Forums
Special Issues
How to/Primers
Case Studies
Network Life
Encyclopedia
IT Briefings
/
IBM e-commerce servers vulnerable to hacks
 
|
|||
 | |||
|
IBM on Wednesday posted an advisory on its Web site that alerted customers to a tool that could potentially decrypt administrator and customer passwords residing on servers that use some IBM e-commerce software.
The tool allows a hacker to decrypt and obtain passwords from sites that utilize macros used to conduct e-commerce transactions. Passwords of administrators and shoppers could be compromised via this tool, said the advisory.
The affected IBM e-commerce servers include Net.Commerce: v3.1, v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite: v4.1, v4.1.1; Net.Commerce Hosting Server: v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite, Service Provider Edition: v3.2; and WebSphere Commerce Suite, Market Place Edition: v4.1. The vulnerability is found on versions of these servers that run on several operating systems, including IBM's AIX, Microsoft's Windows NT and Sun Microsystems' Solaris.
According to IBM's advisory, administrators first need to verify whether the site has been exposed to the tool. This involves checking the site log for the possibility of a macro exposure to the tool. If a hack is verified, the next step involves eliminating the exposure, which includes changing administrator passwords and securing the macros used to conduct e-commerce transactions. Other recommendations from IBM include changing access permissions to directories and macros.
IBM said it issued the first security alert on this topic in November 1999. Recently, however, hackers released the tool to take advantage of the existing vulnerabilities, prompting the more recent advisory.
According to the Bugtraq mailing list on computer security vulnerabilities, IBM's e-commerce platforms support macro tools that do not properly validate requests in user-supplied input. If a request to a vulnerable script is made, the server can disclose sensitive system information, including results of arbitrary queries made to the e-commerce server database, according to Bugtraq. The hack also allows a hacker to obtain higher account privileges, Bugtraq said.
The mailing list further states that WebSphere Commerce Suite Version 5.1 is not vulnerable to the hack, as it uses different macro technology.
Network World's Kathleen Ohlson contributed to this report.
Related Links
 |
 |
 |
|||||
|
|
|
|
|
|||