The company that discovered the flaw stressed that it could easily lead to consumer credit-card information being stolen from compromised servers.
"This is a real backdoor -- it's a big security issue," said David Litchfield, director of security and co-founder of Cerberus Internet Security. "By using a password and a hidden link, we have been able to dump all the passwords out."
The passwords Litchfield refers to are the master keys to the software's data.
Once obtained, a network attacker essentially has carte blanche on the server running the software, letting the cyberthief deface the Web site (if hosted on the same machine), steal consumer credit-card information and read log files, among other activities.
The password is ... 'wemilo'
The master key is a backdoor password -- "wemilo" -- that when entered in the right way, lists the full-access passwords for all the CART32 clients on the server.
In many cases, in which a single company uses the software, an attacker will be able to extract a single password that accesses the CART32 software for that company's storefront on the computer.
In other cases, in which a single Internet service provider hosts many virtual storefronts for its customers, the passwords for every client will be listed.
ZDNet News, following instructions in the advisory, could list the scrambled passwords for more than 350 sites on one server.
According to Litchfield, the passwords can be used 'as is' to access the CART32 accounts and issue commands with privileged access.
CART32 maker: 'They gave us no time'
CART32 maker McMurtrey/Whitaker & Associates confirmed the backdoor, but thought Cerberus' release of the information was premature.
"They gave us no time on this -- zero," said Mark Pilkenton, technical support with McMurtrey/Whitaker & Associates. "They just told the world first."
Pilkenton could not explain what the backdoor had been doing in the software in the first place.
Cerberus' Litchfield gave the company the benefit of the doubt: "It could have been put in there to ease technical support access," he said.
In recent days, a number of "backdoors" have been announced.
'Backdoors' all the rage
A security hole in a Microsoft Web server product accompanied by the phrase "Netscape engineers are weenies!" garnered a great deal of attention after the Wall Street Journal called the hole 'a backdoor.' It was not.
A week later, Microsoft supporters crowed when a utility in the Red Hat distribution seemingly had a backdoor password that allowed administrator access. In reality, the program had a poor choice of default passwords for the system administrator and only affected users who did not change it, as is standard procedure.
Ryan Russell, manager of information systems for SecurityFocus.com, said neither flaw amounted to a backdoor.
"Backdoors are passwords that are intentionally hidden as opposed to a default or a programming error," he said, adding that the passwords have to allow extraordinary access into a computer to qualify.
Advice: Change that password
"At first blush, the CART32 hole seems to be a more traditional backdoor," he said.
MWA's Pilkenton said the company's engineers were working on a patch for the flaw and had been notified by e-mail of the problem.
Until that patch is issued, Cerberus recommends that users of CART32 edit the program and change the hidden password from "wemilo" to something else and modify the program's permissions to administrator access only.
