Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: e-commerce, shopping carts :: bt152.txt

Happymall E-Commerce Remote Command Execution CGI:

Advisory URL:


Product:  Happymall

Versions:  4.3, 4.4

Title:  Happymall E-Commerce Input Validation Flaw Lets Remote Users Execute Arbitrary 

Description:  Revin Aldi reported an input validation vulnerability in the Happymall 
e-commerce software.  Two scripts allow remote users to execute arbitrary commands with 
the privileges of the web server.

The 'normal_html.cgi' script does not filter user-supplied input before making an open() 
call based on that input.  A remote user can create a specially crafted URL to cause the 
system to execute arbitrary operating system commands.

A demonstration exploit is provided:


/shop/normal_html.cgi? file=;id|

The vendor reports that the 'member_html.cgi' script is also affected.

Impact:  A remote user can execute arbitrary shell commands with the privileges of the 
target web server.

Solution:  The vendor has issued a fix.  See the attached CERT-KR advisory for more 

Credit:  revin aldi (reVn@minangCrew.Web.Ma) discovered and reported this flaw to 
SecurityTracker and sends Greetz to #MinangCrew at Dal.Net

CVE:  CAN-2003-0243


Apr 26, 2003 Reported to SecurityTracker
Apr 27, 2003 Vendor contacted (via English language e-mail, without response)
Apr 29, 2003 CERTCC-KR initially contacted
May  2, 2003 Details of vulnerability provided to vendor
May  3, 2003 CERTCC-KR Advisory published

Distribution:  The above SecurityTracker text is Copyright 2003 by LLC 
but can be redistributed without restrictions.

Additional Information:  The CERTCC-KR advisory is shown below.

KA-2003-33: The Vulnerability of File Open Function in Happymall,
             an application of e-commerce.
Published : May 03, 2003
Updated : May 03, 2003
Reference :

-- Systems Affected --------
All web servers running Happymall version 4.3 and 4.4 only

-- Impact --------
The normal_html.cgi and member_html.cgi script of Happymall allow
a remote user to execute arbitrary operating system commands on
the web server with the privilege of web server.

-- Description -----------------
Happymall is an application being used in some e-commerce sites.
Following is what the problem is.

1. If you open normal_html.cgi or member_html.cgi you can find that
there is a sentence, open (A ,"$admin_path/normal_html/$END{'file'}") or
die print "$END{'file'}, which happens to perl programming from time to time.

2. $END{'file'} is looking for file itself in the server to get the value of file.

3. A Remote user possibly exploits a system running Happymall using this vulnerability
only when the value of file is system function.

-- Solution --------------------------
Apply Patch downloaded from :

How to apply patch to the system :

1. Extract zip file downloaded and you will get two files,
member_html.cgi and normal_html.cgi.

2. Upload those files with ASCII mode to the web server in
the directory containing index.cgi and overwrite.

3. Change the linked address
For example;
Before patch applied :
After patch applied :

-- Reference Sites --------------------------

Korea Information Security Agency, KISA
Computer Emergency Response Team Coordination Center, CERTCC-KR
Hot Line: 02-118  Email:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH