exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wp-02-0012.txt

wp-02-0012.txt
Posted Jul 11, 2002
Authored by Matt Moore | Site westpoint.ltd.uk

Westpoint Security Advisory wp-02-0012 - The Carello shopping cart v1.3 uses hidden fields to specify names of executables on the server, allowing an attacker to run arbitrary commands.

tags | arbitrary
SHA-256 | 9887d380b7d1e54dae208b58a265e0fcad7f19f519c4c30e79789a422c384c4c

wp-02-0012.txt

Change Mirror Download
Westpoint Security Advisory

Title: Carello 1.3 Remote File Execution
Risk Rating: Medium
Software: Carello Shopping Cart
Platforms: Win2k, WinNT
Vendor URL: www.carelloweb.com
Author: Matt Moore <matt@westpoint.ltd.uk>
Date: 10th July 2002
Advisory ID#: wp-02-0012


Overview:
=========

Carello 1.3 is a web based shopping cart solution, which uses hidden HTML form
fields to specify executables to handle POSTed form data.

Details:
========

Remote File Execution
---------------------

Carello uses hidden form fields to specify the names of executables on the server which
are to handle POSTed form data. This allows an attacker to manipulate the HTML to
specify arbitrary executables, which the Carello server software will then run. For
example, a typical section of an HTML page created by Carello looks like (angle brackets
omitted):

form method="POST" action="http://server/scripts/Carello/Carello.dll"
input type="hidden" name="CARELLOCODE" value="WESTPOINT"
input type="hidden" name="VBEXE" value="c:\inetpub\..carello-exe-file"
input type=....etc etc

Carello .dll only appears to check that the string 'inetpub' is in the requested path.

Hence, specifying a value like 'c:\inetpub\..\..\..\..\..\..\winnt\notepad.exe'
bypasses this check, allowing arbitrary files to be executed.

Caveat:
-------
It does not appear to be possible to pass parameters to the executed program,
which lessens the severity of this vulnerability. However, it would be more serious
if an attacker could upload files to the server (e.g. via ftp)

Vendor response:
================
The vendor indicated that the vulnerability will be fixed in the next version
of Carello. When asked for an expected release date, they replied that:

'Unfortunately, we do not have a plan to upgrade the program so far. But I put
your indication on our program modification request list.'

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close