Input validation error in quikstore.cgi allows attackers to execute commands

Overview

The quikstore shopping cart script contains an input validation error that allows attackers to execute commands on affected web servers.

Description

The quikstore.cgi script is written in Perl and provides its users with shopping cart software for e-commerce transactions. In November 2000, the CERT/CC received a report of an input validation error in this script that allows attackers to execute commands that are available on the system. After reviewing portions of the Quikstore source code, we believe that this vulnerability was caused by the use of an insecure form of the Perl open call. By including certain shell metacharacters in the URL portion of an HTTP GET request, attackers can cause the Perl interpreter to execute any commands that are available to the web server process.

Depending on the configuration of the victim’s web server, it may be possible to execute commands that are above the root of the web server directory.

---

Impact

Attackers can execute arbitrary commands with privileges equivalent to the web server or cgi user.

---

Solution

Quikstore has produced a patch for this vulnerability; please contact [email protected] for further details.

---

The impact of this vulnerability can be reduced by restricting the set of commands available to the web server. On Unix and Linux systems, this can be accomplished using chroot. In addition, any scripts or binaries that are not necessary for web service should be removed from the user’s web server directory.

---

Vendor Information

671444

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Quikstore __ Affected

Notified: December 01, 2000 Updated: March 22, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

According to Quikstore, versions after 2.11.00 are not affected by this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23671444 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.quikstore.com>
• <http://www.quikstore.com/ubb/Forum8/HTML/000017.html&gt;
• <http://www.securityfocus.com/bid/2049&gt;

Acknowledgements

The CERT/CC thanks Anders Henke of Schlund+Partner AG for reporting this vulnerability and Quikstore for their assistance in researching the issue.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs:	CVE-2000-1188
Severity Metric:	15.39 Date Public: