The company that discovered the flaw stressed that it could easily lead to consumer credit-card information being stolen from compromised servers.
"This is a real backdoor -- it's a big security issue," said David Litchfield, director of security and co-founder of Cerberus Internet Security Ltd. "By using a password and a hidden link, we have been able to dump all the passwords out."
The passwords Litchfield refers to are the master keys to the software's data.
Once obtained, a network attacker essentially has carte blanche on the server running the software, letting the cyberthief deface the Web site (if hosted on the same machine), steal consumer credit-card information and read log files, among other activities.
The master key is a backdoor password -- "wemilo" -- that when entered in the right way, lists the full-access passwords for all the CART32 clients on the server.
In other cases, in which a single Internet service provider hosts many virtual storefronts for its customers, the passwords for every client will be listed.
ZDNet News, following instructions in the advisory, could list the scrambled passwords for more than 350 sites on one server.
According to Litchfield, the passwords can be used 'as is' to access the CART32 accounts and issue commands with privileged access.
CART32 maker McMurtrey/Whitaker & Associates, Inc. confirmed the backdoor, but thought Cerberus' release of the information was premature.
Pilkenton could not explain what the backdoor had been doing in the software in the first place.
Cerberus' Litchfield gave the company the benefit of the doubt: "It could have been put in there to ease technical support access," he said.
In recent days, a number of "backdoors" have been announced.
A security hole in a Microsoft Corp. Web server product accompanied by the phrase "Netscape engineers are weenies!" garnered a great deal of attention after the Wall Street Journal called the hole 'a backdoor.' It was not.
A week later, Microsoft supporters crowed when a utility in the Red Hat distribution seemingly had a backdoor password that allowed administrator access. In reality, the program had a poor choice of default passwords for the system administrator and only affected users who did not change it, as is standard procedure.
Ryan Russell, manager of information systems for SecurityFocus.com, said neither flaw amounted to a backdoor.
"Backdoors are passwords that are intentionally hidden as opposed to a default or a programming error," he said, adding that the passwords have to allow extraordinary access into a computer to qualify.
"At first blush, the CART32 hole seems to be a more traditional backdoor," he said.
MWA's Pilkenton said the company's engineers were working on a patch for the flaw and had been notified by e-mail of the problem.
Until that patch is issued, Cerberus recommends that users of CART32 edit the program and change the hidden password from "wemilo" to something else and modify the program's permissions to administrator access only.
