An Auckland Web designer has reported that attempts have been made to access consumer information on customers' sites by exploiting potential holes in shopping cart security as outlined previously in Computerworld.
"We log any failed attempts to access our customers' sites and over the last week we've been scanned for files like the ones described in your [May 3] story," says Mike Pearson, managing director of WYSIWYG Web design. WYSIWYG doesn't use any of the shopping carts listed in the story, and no unauthorised access was gained, but Pearson believes it was a deliberate attempt to steal user information.
Certain shopping carts — WebStore 1.0, Order Forms 1.2, EZMall 2000, QuikStore, PDG Shopping Cart 1.5 and SoftCart — were revealed to have security flaws if installed or maintained improperly. User information, such as credit card numbers and mailing addresses, would be stored as log files in an unencrypted manner on a server that was accessible to anyone using a Web browser.
The sorts of files WYSIWYG's customers' sites were scanned for include /secure/cgi-bin/Web_store/Admin_files/order.log as well as /cgi/ezmall2000/mall_log_files/order.log.