Knowledgebase
Home » Item #977
CactuShop v6.x security issues
Question
I have read reports of a security vulnerability with CactuShop v6. - "CACTUSHOP 6 Default Installation Allows Remote Database Disclosure". Can you provide more information and a fix?
Answer
Recently, some software security websites have syndicated a security issue relating to CactuShop v6. The issue states that when using an Access database for the store in the default location, the store is vulnerable to attack since the database can be downloaded and all the data, including back end login details can be retrieved.
As with most of these amateur security advisories, those announcing the issues do not appear to be interested in helping those with affected software as no attempt is made to link to our site, include our feedback (which we have provided) or refer to the guidance given in our documentation.
The report itself is inaccurate in that it was the trial version they tested, and as clearly stated in the manual, the trial is designed to be easy to setup and it is made clear that the trial is not secure. Furthermore, it states that the database contains credit card information, which again is disingenuous as the trial version has no payment scripts to accept orders. Even with the full version, the vast majority of stores follow our advice and never set their store to save credit card numbers.
It is important to understand that this is not a flaw in the CactuShop software specifically. It is something that applies to any online software that uses an Access database if it is not setup properly. To list this as a security vulnerability is rather like listing a security issue with a safe because the user can forget to bolt it to the floor to prevent the whole thing being carried off. As with the safe, the security of the software depends on appropriate setup.
Since its debut in May 2006, there have been no SQL injection or cross-site scripting (XSS) vulnerabilities discovered in v6. The only vulnerability so far documented is the issue of unprotected Access databases being downloaded, and this is 100% preventable with correct setup.
We would go further than the actual security bulletin and encourage all store owners and developers who use Access to ensure that the database is not just moved from the default location, but has measures taken to ensure that it is impossible to download it other than through the protected back end feature, or FTP. In other words, an attacker cannot download it through a browser even if they know the exact name and location of the file.
We urge all store owners and developers to review the security advice available through our knowledgebase which is updated to reflect any new threats or issues.
No patch is required. This issue simply requires the software to be setup in accordance with our documentation.
[#988] CactuShop security setup