E-Cart v1.1 Remote Command Execution Vulnerability

From: Emanuele \ (emanuele_at_orvietolug.org)
Date: 04/24/05

Next message: Damian Put: "[Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow"

Previous message: cybertronic_at_gmx.net: "Yager <= 5.24 Remote Buffer Overflow Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>
Date: Sun, 24 Apr 2005 04:15:02 +0200

Exploit for "Cart v1.1 Remote Command Execution Vulnerability" discovery:
SoulBlack

============================================================
Title: E-Cart v1.1 Remote Command Execution Vulnerability discovery:
SoulBlack - Security Research - http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <= E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
============================================================

============================================================
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
============================================================
*Problem Description:

The bug is in the file index.cgi where the variable art that is put under
"open()", does not have a control of data, allowing to the attacker to
execute any type of commands.

Vulnerable code
---------------
sub viewart {
   &cartfooter;
   open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data
= <DATA>); release(DATA); close(DATA);
       ...
       ...
       ...

============================================================

*Example:

http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=re
productordvp-ns315.dat|uname%20-a|

============================================================

*Xpl:

http://www.soulblack.com.ar/repo/tools/ecart-xpl.php

============================================================

*Fix:

Contact the Vendor.
============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar

application/octet-stream attachment: 7330ecart.pl

Next message: Damian Put: "[Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow"

Previous message: cybertronic_at_gmx.net: "Yager <= 5.24 Remote Buffer Overflow Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]