 |
 |
|
|
|
||||||||||||||||||||||||||||||
|
IBM e-commerce servers vulnerable to hacks
(IDG) -- IBM this week posted an advisory on its Web site that alerted customers to a tool that could potentially decrypt administrator and customer passwords residing on servers that use some IBM e-commerce software. The tool allows a hacker to decrypt and obtain passwords from sites that utilize macros used to conduct e-commerce transactions. Passwords of administrators and shoppers could be compromised via this tool, said the advisory. The affected IBM e-commerce servers include Net.Commerce: v3.1, v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite: v4.1, v4.1.1; Net.Commerce Hosting Server: v3.1.1, v3.1.2, v3.2; WebSphere Commerce Suite, Service Provider Edition: v3.2; and WebSphere Commerce Suite, Market Place Edition: v4.1. The vulnerability is found on versions of these servers that run on several operating systems, including IBM's AIX, Microsoft's Windows NT and Sun Microsystems' Solaris.
According to IBM's advisory, administrators first need to verify whether the site has been exposed to the tool. This involves checking the site log for the possibility of a macro exposure to the tool. If a hack is verified, the next step involves eliminating the exposure, which includes changing administrator passwords and securing the macros used to conduct e-commerce transactions. Other recommendations from IBM include changing access permissions to directories and macros. IBM said it issued the first security alert on this topic in November 1999. Recently, however, hackers released the tool to take advantage of the existing vulnerabilities, prompting the more recent advisory. According to the Bugtraq mailing list on computer security vulnerabilities, IBM's e-commerce platforms support macro tools that do not properly validate requests in user-supplied input. If a request to a vulnerable script is made, the server can disclose sensitive system information, including results of arbitrary queries made to the e-commerce server database, according to Bugtraq. The hack also allows a hacker to obtain higher account privileges, Bugtraq said. The mailing list further states that WebSphere Commerce Suite Version 5.1 is not vulnerable to the hack, as it uses different macro technology. RELATED STORIES:
FBI warns companies about Russian hacker attacks RELATED IDG.net STORIES:
Top 5 encryption utilities RELATED SITES:
Security Focus |
|
|
SCI-TECH
Study: Gadget sales flat Protest slams Dell's use of prison labor Steve Jobs keeps Apple in the limelight (MORE)
![[CNN.com]](http://i.cnn.net/cnn/images/newsnet/cnnlogo.gray.gif){kind=small} TOP STORIESN. Y. plans to heal skyline Stocks rise on Case departure Lieberman's presidential announcement today New arrests may be linked to UK ricin scare (MORE)
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo} SPORTSJordan says farewell for the third time Shaq could miss playoff game for child's birth Ex-USOC official says athletes bent drug rules (MORE)
 All Scoreboards
|
|
||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
| Back to the top | |
© 2003 Cable News Network LP, LLLP.
A Time Warner Company. All Rights Reserved. Terms under which this service is provided to you. Read our privacy guidelines. Contact us. |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
(