Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: e-commerce, shopping carts :: web5530.htm

Carello web shopping solution remote file execution
11th Jul 2002 [SBWID-5530]

	Carello web shopping solution remote file execution


	Carello 1.3


	In  Matt   Moore   []   advisory   [ID#:wp-02-0012]
	[] :

	Carello uses hidden form fields to specify the names of  executables  on
	the server which  are  to  handle  POSTed  form  data.  This  allows  an
	attacker to manipulate the HTML to specify arbitrary executables,  which
	the Carello server software  will  then  run.  For  example,  a  typical
	section of an HTML page created by Carello looks  like  (angle  brackets

	form method=\"POST\" action= \"http://server/scripts/Carello/Carello.dll\"

	input type=\"hidden\" name=\"CARELLOCODE\" value=\"WESTPOINT\"

	input type=\"hidden\" name=\"VBEXE\" value= \"c:\\inetpub\\..carello-exe-file\"

	input type=....etc etc


	Carello .dll only appears to check that the  string  \'inetpub\'  is  in
	the requested path.

	Hence, specifying a value like:

	c:\\inetpub\\..\\..\\..\\..\\..\\..\\winnt\\notepad.exe \'


	bypasses this check, allowing arbitrary files to be executed.


	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH