At the Melbourne office of Fontis, the developer of the Click Frenzy website, the phone is answered with a recorded message proclaiming the company “Australia’s premiere Magento enterprise partner.” Its blog includes a definitive installation guide for the e-commerce system. Yet a basic Magento configuration error left important security information exposed to the world.
The entire Magento directory of the Click Frenzy website was left world readable, including configuration files containing details such as the internet protocol (IP) address of its database server, and the log-in username and password.
The problem was first brought to ZDNet’s attention shortly after 9 a.m. AEDST this morning by penetration tester Darren Arnott, principal consultant with information security company Trusted Impact.
By mid morning, it was clear that others had found the problem, as the URLs of key configuration files were also being passed around by developers and systems administrators, who were curious about Click Frenzy’s architecture and the causes of its failure last night.
Arnott discovered the problem while trying to access the overloaded website. “Like everyone else, I had a family behind me trying to connect,” he said.
“I’m aware that a default Magento installation will often leave directories exposed. On previous experience with other sites that had this issue, as well as database usernames and passwords, it can expose things such as the browser session ID, making session hijacking possible.”
Depending on the particular configuration, it can also expose customers’ personal information, such as name, address, and email address, as well as purchase histories.
In Click Frenzy’s case, a 10-megabyte system log file was exposed, as well as a CSV file named catalog_product.csv.
“They obviously didn’t follow the standard best practice for hardening the application,” said web developer Brendan Sainsbury from Intermediary Contracting, who includes Magento in his toolkit.
“If they’re working in an e-commerce environment, these are the things you cover off, the things that you have to do,” Sainsbury told ZDNet.
“Even if they had to rapidly deploy to another environment, [transferring an archive] carries across the file permissions.”
Chris Gatford, director of penetration-testing firm HackLabs, isn’t surprised that this error was discovered.
“The project sounds more successful than they had anticipated. Any fast, furious, and unplanned move to a new platform can often have some serious security consequences,” he told ZDNet.
Gatford said that three to four out of every 10 penetration tests conducted by his firm reveal exposed passwords in default locations.
“You can have all the skills and all the experience in a specific platform, but you do need a third-party check-over to get some comfort,” he said.
Fontis declined to comment on the incident, although it appears that access controls on the Click Frenzy website have been revised since ZDNet contacted the company.
