OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: zeno (zenocgisecurity.net)
Date: Thu Jun 07 2001 - 12:58:21 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Well I had about 3 advisories I was working on but my HD died
    and this was the only thing I could salvage. The vendor's patch
    is also contained below in a url.

    - zenomorph

                                   [ Cgi Security Advisory #5 ]
                                      admincgisecurity.com
                                     VirtualCart Shopping Cart

    Found
    April 2001

    Public release
    June 2001

    Vendor Contacted:
    April 2001

    Script Effected: VirtualCart Shopping Cart
    Price: $199.00 for a single user license

    Versions:
    All versions appear to be effected

    Platforms:
    Unix, Linux, NT

    Vendor:
    http://www.vcart.com

    Vendor Patch:
    http://www.cgisecurity.net/advisory/patch/VirtualCatalog.tar.gz

    1. Problem

    The problem lies in a file called CatalogMgr.pl.
    The template variable does no validation checking and due to this
    remote command execution is possible as the uid of the webserver.
    (Usually user www or nobody)

    The following request listed below would allow grabbing of the scripts
    own sourcecode.

    http://host/cgi-bin/CatalogMgr.pl?cartID=>&template=CatalogMgr.pl
    (Note: Paths may vary)

    2. Fixes

    The vendor has been contacted about this security issue.
    Check the vendor webpage for futher updates or use the
    vendor patch provided above towards the top of this advisory.

    One quick solution to fix the remote command execution would be to put this
    script into "Taint mode". This is done my modifying the path to perl at the
    very top of this script. Simply change #!/usr/bin/perl to #!/usr/bin/perl -T.

    It is also noted that the vendor found 3 other holes after we contacted them
    and the patch above fixes those holes as well.

    Published to the Public June 2001
    Copyright May 2001 Cgisecurity.com