A Microsoft engineer reportedly included a back door in the company’s Microsoft Internet Information Server software that could enable hackers to break into hundreds of thousands of Web sites around the world.
Rain Forest Puppy, one of the experts who discovered the hack, characterized it as “a very specific vulnerability.” The back door makes sites using FrontPage 98 extensions vulnerable to attack.
An advisory posted at Rain Forest Puppy, says the offending code is part of the dvwssr.dll file, a component of the NT 4 Option Pack, to be used with InterDev 1.0.
It goes on to say, “The default permissions don’t allow for anonymous users to use the .dll — however, anyone with Web authoring can, and I’ve seen few sites that have allowed permission (which is more due to a misconfiguration on their part).”
According to the Wall Street Journal, there is no evidence that the back door has been exploited.
Against Microsoft Policy
Steve Lipner, the manager of Microsoft’s security response center, acknowledged the online security risk to the Wall Street Journal and said that encoding a back door is “absolutely against our policy.” The offense could get the engineer who coded the back door fired, Lipner said.
Rain Forest Puppy’s advisory says, “Microsoft has told me the immediate problem is moreso the fact that any developer of one particular virtual site can download the .asp code of other virtual sites on the same system.”
Microsoft said it will issue an alert telling their customers to delete the offending file. However, Rain Forest Puppy’s advisory says that deleting it will affect InterDev 1.0’s ‘View Links’ function, concluding, “If you don’t use Interdev 1.0, you can delete the file and call it a day. If you do use Interdev 1.0, well, it’s your call, but I suggest an upgrade.”
The secret password is “Netscape engineers are weenies!”
E-Commerce Back Door
Another back door has left over 200 users of the popular e-commerce Dansie Shopping Cart vulnerable to hack attacks. The developer of the software, Craig Dansie of Moreno Valley, California, allegedly built in a back door that allows him, or anyone else who figures out the nine-digit password, to access servers using the shopping cart.
Kasey Johns, Webmaster for Lonestar Badge and Sign of Martindale, Texas, discovered the problem in late March while reviewing the program’s source code.
Johns told the E-Commerce Times that he did not believe the back door had been used “to gain access to servers in the sense of full-on violation.” He added, “So far, all I’ve seen the backdoor used for is to delete the script itself and to delete one of the script’s data files — in effect, Mr. Dansie is using it exactly as he insisted in e-mail to me, to ensure copyright and license compliance.”
While Johns said that while he had not seen the back door used in a sinister manner, he added, “The potential is there for anyone to utilize this code, and I’ve received reports from other Dansie customers of a few incidents that were much more sinister.”
Potential for Full-Blown Server Crack
Johns gave credit to Joe Harris at Blarg! Online for discovering the back door. Harris told the E-Commerce Times, “This ‘feature’ allows anyone, anywhere, to destroy the Web site and potentially hack the entire server, with the single click of a mouse.”
He added, “In short, Dansie included in their cart exactly what a hacker is looking for — a way to bypass all the security on the server and execute commands. The people who purchased this cart were placing their trust in Dansie, and he violated that trust. Deliberately.”
Dansie could not be reached for comment, but Harris said the company is offering a patch that will fix the problem. Harris recommended that customers “obtain and install a clean copy of the cart immediately. They’ll need to decide for themselves if they trust Dansie Web Design enough to continue using their software.”
Johns said, “This speaks to the benefits of true open source — that you can see the code, see what’s in it, and most importantly, modify it if you find something disturbing. Just imagine if this had been one of the bigger software players — Corel, or Microsoft, or AOL.”