[20916] in bugtraq
cgisecurity.com Advisory #5
daemon@ATHENA.MIT.EDU (zeno)
Fri Jun 8 12:12:20 2001
From: zeno <zeno@cgisecurity.net>
Message-Id: <200106071758.f57HwLZ22365@cgisecurity.net>
To: BUGTRAQ@securityfocus.com
Date: Thu, 7 Jun 2001 17:58:21 +0000 (GMT)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Well I had about 3 advisories I was working on but my HD died
and this was the only thing I could salvage. The vendor's patch
is also contained below in a url.
- zenomorph
[ Cgi Security Advisory #5 ]
admin@cgisecurity.com
VirtualCart Shopping Cart
Found
April 2001
Public release
June 2001
Vendor Contacted:
April 2001
Script Effected: VirtualCart Shopping Cart
Price: $199.00 for a single user license
Versions:
All versions appear to be effected
Platforms:
Unix, Linux, NT
Vendor:
http://www.vcart.com
Vendor Patch:
http://www.cgisecurity.net/advisory/patch/VirtualCatalog.tar.gz
1. Problem
The problem lies in a file called CatalogMgr.pl.
The template variable does no validation checking and due to this
remote command execution is possible as the uid of the webserver.
(Usually user www or nobody)
The following request listed below would allow grabbing of the scripts
own sourcecode.
http://host/cgi-bin/CatalogMgr.pl?cartID=<valid-id>&template=CatalogMgr.pl
(Note: Paths may vary)
2. Fixes
The vendor has been contacted about this security issue.
Check the vendor webpage for futher updates or use the
vendor patch provided above towards the top of this advisory.
One quick solution to fix the remote command execution would be to put this
script into "Taint mode". This is done my modifying the path to perl at the
very top of this script. Simply change #!/usr/bin/perl to #!/usr/bin/perl -T.
It is also noted that the vendor found 3 other holes after we contacted them
and the patch above fixes those holes as well.
Published to the Public June 2001
Copyright May 2001 Cgisecurity.com
