CS-Cart: Debug and configuration information - December 27, 2018

Timeline

  • December 27, 2018 – Vulnerability was found by Simtech Development AWS hosting team.
  • December 27, 2018 – Fix for robots.txt file is ready. It will disable indexing of special technical URLs with sensitive information in the future.
  • December 27, 2018 - The fix for robots.txt was deployed for AWS cloud hosting clients.
  • December 27, 2018 - CS-Cart development team was informed about the fix for the robots.txt file.
  • December 28, 2018 - Our clients are informed about the recommendations on further actions.
  • January 2, 2019 - Obtain GHDB-ID-5064

Remediation TL;DR

Being your AWS hosting service provider and dedicated CS-Cart fans, we could not stand aside so we contributed to CS-Cart users security. We produced a hotfix for preventing indexing of special technical URLs with sensitive information in the future, the 27th of December, 2018.

Recommendations

  1. Log in via SSH/SFTP, go to the project directory.
  2. Add string Disallow: /*dispatch=debugger* to the robots.txt file after line User-agent: *
robots.txt fix
  1. Contact Google for removing sensitive information from search results
  2. Change all access information, API keys, credentials for other services, which are used in the CS-Cart installations.

Also, we recommend using separate servers for development and production environments. Read more here.

As the primary solution to this problem and similar ones, we recommend marking links and pages with sensitive information with special tags

Impact

Non-authorized user can exploit a Google dork, which contains a special search query. A successful exploitation of a Google Dork for your website can allow hackers to read sensitive data from the configuration files, CS-Cart settings, add-ons.

This information may be compromised:

  1. Database, FTP access credentials.
  2. CS-Cart configuration settings (mail sender information such as google accounts, license key, admin URL, etc).
  3. Add-ons settings (API keys, some credentials to third-party services)
exploiting process

Background Information

Google indexes a lot of data from your website and caches sensitive information such as database accesses, application settings when the debug mode is on.


---
If you have a problem, need assistance with tweaks or a free consultation, if you just want to discuss your project with experts and estimate the outcome, if you're looking for a solution that will reinforce your online business, we will help. Email us.