• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability

Severity: HIGH

Description:

Net.Commerce is an e-commerce platform from IBM. Newer versions are called WebSphere Commerce Suite.

A serious vulnerability exists in Net.Commerce 3.x which may grant a remote attacker complete access to the vulnerable host. Due to a failure to validate user-supplied input, macros (including those installed by default) written for the Net.Commerce platform can allow a remote user to excute arbitrary SQL commands and obtain information from the Net.Commerce database.

This could permit an attacker to query the database and obtain administrator account and password information, which, properly exploited, can lead to a complete compromise of the affected host with the privilege level of the DB2INST1 account. This includes arbitrary file reads and writes, shell commands and database queries.

IBM fixed the vulnerable Administrator macros they ship with the product starting in Net.Commerce Versions 3.2. They also added access control checks to stop users from executing them without authentication. Yet the sample macros shipped are not guaranteed to be safe. Custom macros created by the user may be vulnerable to this type of attack. WebSphere Commerce Suite Version 5.1 is not vulnerable at all as it does not use Net.Data macros.

To check whether you are vulnerable use the following URL:
http://<Hostname>/webapp/commerce/command/ExecMacro/mall_dir.d2w/report
or
http://<Hostname>/cgi-bin/ncommerce3/ExecMacro/mall_dir.d2w/report

If you see the Demomall homepage you are likely to be vulnerable. Please note that not seeing the Demomail homepage is no guarantee that you are not vulnerable.

Affected Products:

• IBM Net.Commerce 2.0.0
• IBM Net.Commerce 3.0.0
• IBM Net.Commerce Hosting Server 3.1.1
• IBM Net.Commerce Hosting Server 3.1.2
• IBM Net.Commerce Hosting Server 3.2.0
• IBM Net.Commerce Pro 3.1.0
• IBM Net.Commerce Pro 3.1.1
• IBM Net.Commerce Pro 3.1.2
• IBM Net.Commerce Pro 3.2.0
• IBM Net.Commerce Start 3.1.0
• IBM Net.Commerce Start 3.1.1
• IBM Net.Commerce Start 3.1.2
• IBM Net.Commerce Start 3.2.0
• IBM WebSphere Commerce Suite MarketPlace 4.1.0
• IBM WebSphere Commerce Suite Pro 4.1.0
• IBM WebSphere Commerce Suite Pro 4.1.1
• IBM WebSphere Commerce Suite Service Provider 3.1.2
• IBM WebSphere Commerce Suite Service Provider 3.2.0
• IBM WebSphere Commerce Suite Start 4.1.0
• IBM WebSphere Commerce Suite Start 4.1.1

References:

• IBM: IBM Net.Data Administration and Programming Guide for Workstation v7
• IBM: Letter from Ed Kilroy
• IBM: Net.Data Coding Guidelines for Security
• IBM: Security Issue 2001-1
• IBM: WebSphere Commerce Security Issue 2000-3
• IBM: WebSphere Commerce Security Issue 2000-4
• IBM: WebSphere Commerce Security Issue 2000-5
• IBM: WebSphere Commerce Security Issue 2001-3
• IBM: WebSphere Commerce Security Issue 2001-4

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.