E-Cart v1.1 Remote Command Execution

From: Nicolas Montoza (xonico_at_gmail.com)
Date: 04/23/05

  • Next message: Stephen Frost: "Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted"
    Date: Sat, 23 Apr 2005 14:24:29 -0300
    To: bugtraq@securityfocus.com, news@securiteam.com, bugs@securitytracker.com, submissions@packetstormsecurity.org, vuln@secunia.com
    
    

    ============================================================
    Title: E-Cart v1.1 Remote Command Execution
    Vulnerability discovery: SoulBlack - Security Research -
    http://soulblack.com.ar
    Date: 20/04/2005
    Severity: High. Remote Users Can Execute Arbitrary Code.
    Affected version: <= E-Cart 2004 v1.1
    Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
    ============================================================

    ============================================================
    *Summary
    E-Cart is a mod of WepApp written in Perl. It is WebShop.
    ============================================================
    *Problem Description:

    The bug is in the file index.cgi where the variable art that is put
    under "open()", does
    not have a control of data, allowing to the attacker to execute any
    type of commands.

    Vulnerable code
    ---------------
    sub viewart {
       &cartfooter;
       open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA);
    chomp(@data = <DATA>); release(DATA); close(DATA);
           ...
           ...
           ...

    ============================================================

    *Example:

    http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|

    ============================================================

    *Xpl:

    http://www.soulblack.com.ar/repo/tools/ecart-xpl.php

    ============================================================

    *Fix:

    Contact the Vendor.
    ============================================================

    --
    SoulBlack - Security Research
    http://www.soulblack.com.ar
    

  • Next message: Stephen Frost: "Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted"