[CommerceSQL] Remote File Read Vulnerability

From: Mariusz Ciesla (craig_at_tenbit.pl)
Date: 11/23/03

Next message: Administrador de ShellSec: "Thomnson TCM315 Denial of service"

Previous message: MegaHz: "simple buffer overflow in gedit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 23 Nov 2003 18:47:39 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

CommerceSQL shopping cart (http://commercesql.com) allows remote file reading. It only needs to specially prepared page variable in index.cgi to allow reading remote files (like /etc/passwd)

By using prepared GET page variable it allows user to read remote files

Example:
With index.cgi?page=../../../../../../../../etc/passwd puts out your /etc/passwd on the screen of pottential attacker.

Vulnerable:
* All CommerceSQL Shopping Cart Versions

Exploits:
* Not needed

Patch:
* Not yet available

-- 
Mariusz "Craig" Cie&#347;la <craig@tenbit.pl>
getNet network administrator / security consultant

Next message: Administrador de ShellSec: "Thomnson TCM315 Denial of service"

Previous message: MegaHz: "simple buffer overflow in gedit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]