Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

wp-02-0012: Carello 1.3 Remote File Execution

From: Matt Moore <matt () westpoint ltd uk>
Date: Wed, 10 Jul 2002 12:14:02 +0100
Westpoint Security Advisory

Title:          Carello 1.3 Remote File Execution
Risk Rating:    Medium
Software:       Carello Shopping Cart
Platforms:      Win2k, WinNT
Vendor URL:     www.carelloweb.com
Author:         Matt Moore <matt () westpoint ltd uk>
Date:           10th July 2002
Advisory ID#:   wp-02-0012


Overview:
=========
Carello 1.3 is a web based shopping cart solution, which uses hidden HTML form 
fields to specify executables to handle POSTed form data.

Details:
========

Remote File Execution
---------------------
Carello uses hidden form fields to specify the names of executables on the server which are to handle POSTed form data. This allows an attacker to manipulate the HTML to specify arbitrary executables, which the Carello server software will then run. For example, a typical section of an HTML page created by Carello looks like (angle brackets 
omitted):

form method="POST" action= "http://server/scripts/Carello/Carello.dll";
input type="hidden" name="CARELLOCODE" value="WESTPOINT"
input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file"
input type=....etc etc
Carello .dll only appears to check that the string 'inetpub' is in the requested path.
Hence, specifying a value like ' c:\inetpub\..\..\..\..\..\..\winnt\notepad.exe ' 
bypasses this check, allowing arbitrary files to be executed.

Caveat:
-------
It does not appear to be possible to pass parameters to the executed program, which lessens the severity of this vulnerability. However, it would be more serious 
if an attacker could upload files to the server (e.g. via ftp)

Vendor response:
================
The vendor indicated that the vulnerability will be fixed in the next version 
of Carello. When asked for an expected release date, they replied that:
'Unfortunately, we do not have a plan to upgrade the program so far. But I put 
your indication on our program modification request list.'

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt
Previous By Date Next
Previous By Thread Next

Current thread: