Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Matt Moore (matt_at_westpoint.ltd.uk)
Date: Wed Jul 10 2002 - 06:14:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Westpoint Security Advisory

    Title: Carello 1.3 Remote File Execution
    Risk Rating: Medium
    Software: Carello Shopping Cart
    Platforms: Win2k, WinNT
    Vendor URL: www.carelloweb.com
    Author: Matt Moore <mattwestpoint.ltd.uk>
    Date: 10th July 2002
    Advisory ID#: wp-02-0012


    Carello 1.3 is a web based shopping cart solution, which uses hidden
    HTML form
    fields to specify executables to handle POSTed form data.


    Remote File Execution

    Carello uses hidden form fields to specify the names of executables on
    the server which
    are to handle POSTed form data. This allows an attacker to manipulate
    the HTML to
    specify arbitrary executables, which the Carello server software will
    then run. For
    example, a typical section of an HTML page created by Carello looks like
    (angle brackets

    form method="POST" action= "http://server/scripts/Carello/Carello.dll"
    input type="hidden" name="CARELLOCODE" value="WESTPOINT"
    input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file"
    input type=....etc etc

    Carello .dll only appears to check that the string 'inetpub' is in the
    requested path.

    Hence, specifying a value like '
    c:\inetpub\..\..\..\..\..\..\winnt\notepad.exe '
    bypasses this check, allowing arbitrary files to be executed.

    It does not appear to be possible to pass parameters to the executed
    which lessens the severity of this vulnerability. However, it would be
    more serious
    if an attacker could upload files to the server (e.g. via ftp)

    Vendor response:
    The vendor indicated that the vulnerability will be fixed in the next
    of Carello. When asked for an expected release date, they replied that:

    'Unfortunately, we do not have a plan to upgrade the program so far. But
    I put
    your indication on our program modification request list.'

    This advisory is available online at: