The Buck Stops Nowhere: How To Hack a Paysite, Part 3

Let’s step back a moment, and consider the situation. Your billing company should take responsibility for protecting your customers’ billing information, and your server admin should take responsibility for protecting your paysite. After all, the billing info is on the billing company’s server, and the paysite is on the admin’s server.

After carefully analyzing the situation, I strongly disagree. Your customers’ credit card data is (usually) secure. Why is this so? Because that’s what your billing company does. They have firewalls, authentication codes, secure logins, and surely keep a careful watch on outside probing. If they’re being hacked, they know it.

But who’s keeping that close an eye on your members area? If someone got a copy of your password file, would you know it? If someone quietly added a couple of passwords, would you know that either? Nobody’s watching! Your billing company doesn’t consider it their responsibility. But if not, whose is it? Think about it: What are you paying them for?

Exploiting the Billing Companies

The basic problem is this: The billing companies are up against some serious technical difficulties when it comes to protecting your paysite. First, the server itself is outside their control. The server itself is your problem, and your server admin’s problem. Second, there’s a basic security flaw in how servers work.

The first consideration is trivial: Go with a hosting company that knows what they’re doing. You’ll pay more, and it will be so worth it.

The second consideration is how servers work. Your billing company has their own secure servers. When the transaction is complete, they need some means of updating your members area so that your new customer may surf on in.

How do billing companies do this? By installing a set of PHP or CGI scripts on your server. When you first opened your paysite, the billing company probably came in, did their thing, did a test signup, and pronounced you ready for business. So far, so good. Let’s call that PHP or CGI script the billing script.

What does your billing script do? It updates your members area password file. This is how your billing company adds a new user, deletes an old user, changes a user password, and so on.

Here’s the problem. Generally speaking, your server makes no distinction between one PHP or CGI script and another. If the billing script has permission to update your password file, any other PHP or CGI script on your server can do so as well! Since your billing script is obviously able to read your password file, that means any other PHP or CGI script could also read your password file – if it were successfully asked to do so.

If a hacker were to manage to get a PHP or CGI script installed on your server, obviously you’re screwed. Your password file is wide open. And, as I explained above, your password file is gloriously crackable. Fortunately, getting a script inserted on someone else’s server is rare, but it does happen. (Would your admin know it if it happened to you?)

However, it is not hard to find an exploitable script on your server. An expoitable script is one that a hacker can use to get a peek at your password file. Remember, if one PHP or CGI script can read the password file, every PHP or CGI script can read that password file. That’s the basic flaw in how Unix and Linux works with the Apache Web Server.

When it comes to exploiting PHP and CGI scripts, reputation doesn’t mean anything. (As of when this article was written many years ago) Matthew Wright’s formmail.pl is one of the most notoriously exploitable – yet I have a $49.95 book on the shelf next to me, CGI/Perl Cookbook by Patchett and Wright. Matt’s Script Archive is well known with high traffic.

A lot of people out there use the formmail.pl feedback form. Somebody sticks in their email address, and the form data gets sent to the site owner. Let one user install such a script anywhere on the server, and every paysite on that server is now wide open. That’s the kind of problem your billing company is up against! (I believe Matt has a more secure version of formmail.pl available these days, but that doesn’t affect the existing installations.)

Everything is readable

So you want to hack a paysite. Do you remember where to start? With a copy of the password file. With a copy of that file – even though the passwords are encrypted – you can literally get cracking. But… how do you get a copy of that file? Isn’t it protected from casual view?

The basic rule of thumb is this: On a Unix or Linux server, you have to assume ANY file is readable. It probably can’t be edited, but it can be read. That’s how Unix and Linux work.

The Unix folks learned years ago – Morris did the teaching – that the master password file is vulnerable. Since it was readable by anyone on the server, that was a problem. Unix itself changed over to a shadow password file, which was not so easily read. It’s now quite rare to hear about a Unix or Linux password file being found and cracked.

Unfortunately, the billing companies don’t have the luxury of hiding your password file. It must remain readable. What’s really unfortunate, though, is that the billing companies – several of them, at least – failed to learn the Morris lesson. They completely forgot that any file on a server is readable! Where there’s a will, there’s a way… and that’s an expensive lesson to forget.

Can you imagine leaving a password laying around in a readable file, in plain text? If you can read the file, you have the password. Several billing companies code their master password right into the script, in plain text. Yes, really! If you can read the file, you have the password. If you have the password, you own the paysite. You can add, change, delete members at will.

Did you catch that? Your members area passwords are encrypted. Most of them are crackable, but they are encrypted. However, several billing companies leave the billing script password on your server in plain text. The billing script encrypts the members passwords, but keeps its own password as plain text!

As you can well imagine, these billing scripts are very popular with the hackers. When someone manages to find a copy of that plain-text password, they’ll post it on the hackers’ board so that everyone can use the script.