Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Matt Moore (matt_at_westpoint.ltd.uk)
Date: Wed Jul 10 2002 - 06:14:46 CDT
Westpoint Security Advisory
Title: Carello 1.3 Remote File Execution
Risk Rating: Medium
Software: Carello Shopping Cart
Platforms: Win2k, WinNT
Vendor URL: www.carelloweb.com
Author: Matt Moore <mattwestpoint.ltd.uk>
Date: 10th July 2002
Advisory ID#: wp-02-0012
Carello 1.3 is a web based shopping cart solution, which uses hidden
fields to specify executables to handle POSTed form data.
Remote File Execution
Carello uses hidden form fields to specify the names of executables on
the server which
are to handle POSTed form data. This allows an attacker to manipulate
the HTML to
specify arbitrary executables, which the Carello server software will
then run. For
example, a typical section of an HTML page created by Carello looks like
form method="POST" action= "http://server/scripts/Carello/Carello.dll"
input type="hidden" name="CARELLOCODE" value="WESTPOINT"
input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file"
input type=....etc etc
Carello .dll only appears to check that the string 'inetpub' is in the
Hence, specifying a value like '
bypasses this check, allowing arbitrary files to be executed.
It does not appear to be possible to pass parameters to the executed
which lessens the severity of this vulnerability. However, it would be
if an attacker could upload files to the server (e.g. via ftp)
The vendor indicated that the vulnerability will be fixed in the next
of Carello. When asked for an expected release date, they replied that:
'Unfortunately, we do not have a plan to upgrade the program so far. But
your indication on our program modification request list.'
This advisory is available online at: