Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: e-commerce, shopping carts :: uskeeper.htm

UStorekeeper(tm) Online Shopping System - version 1.6 Read Arbitrary Files



    uStorekeeper(tm) Online Shopping System - version 1.61 (probably others, but not tested)


    UkR hacking team found following.   '..' and '/' are not  filtered
    while processing user input, so it is possible to enter  arbitrary
    values to retreive  files from remote  sever, which should  not be
    accessible normally (for ex., /etc/passwd).

    Exploit: |

    zenomorph  from  'cgisecurity'  added  following.   The  following
    advisory was actually  found in december  of 2000 by  the staff at  No bugtraq posted was published on the otherhand
    because after speaking with the vendor they informed them that not
    every version  was effected  and that  the newer  versions of this
    product have been patched.  A staff member of  did
    make a proof  of exploit for  this code but  they did give  little
    details of the vendor due to them asking them not to.



        # this will help in somewhat...
        $input =~ s/[(\.\.)|\/]//g;

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH