CISADV000524b.txt

`Cerberus Information Security Advisory (CISADV000524b)  
http://www.cerberus-infosec.co.uk/advisories.shtml  
  
  
Released : 24th May 2000  
Name : Carello Web file overwriting vulnerability  
Affected Systems : Windows NT running IIS  
Issue : Remote attackers can write to a server and view  
source of .asp files  
Author : Robert Horton ([email protected])  
  
Description  
***********  
The Cerberus Security Team have discovered a flaw in the Carello web  
shopping cart that enables attackers to create files on the server's  
computer. If the file already exists, then a copy of it is made with a  
slightly different file extension. For example foo.txt becomes foo.txt1.  
This becomes exploitable when a copy is made of foo.asp as its contents are  
copied to foo.asp1 which is not a recognised file format. When this page is  
then requested the source code is downloaded. This can often contain  
sensitive information such as passwords and the like.  
  
Details  
*******  
  
The following url:  
http://charon/scripts/Carello/add.exe?C:\inetpub\iissamples\default\samples.  
asp  
will create samples.asp1 which can then be viewed. The attacker needs to  
know the full path of the file that he/she wishes to copy. This is not  
difficult to work out as many of the links in the Carello Web product give  
this information away. There are a large number of executables in the  
/scripts/Carello directory, and all of the ones tested have exhibited this  
behaviour. It must me noted however, that the NTFS permissions must also  
allow for the anonymous Internet account to be able to write to the relevant  
directory.  
  
A check for this has been added to Cerberus' vulnerability scanner CIS,  
available from the Cerberus website - http://www.cerberus-infosec.co.uk/  
  
  
Vendor Status  
*************  
  
PSPInc (www.pspinc.com) were informed of this on the 8 May. This product is  
no longer being supported although they say that a new version is due out in  
a couple of months which fixes these problems.  
  
About Cerberus Information Security, Ltd  
*****************************************  
Cerberus Information Security, Ltd, a UK company, are specialists in  
penetration testing and other security auditing services. They are the  
developers of CIS (Cerberus' Internet security scanner) available for free  
from their website: http://www.cerberus-infosec.co.uk  
  
To ensure that the Cerberus Security Team remains one of the strongest  
security audit teams available globally they continually research operating  
system and popular service software vulnerabilites leading to the discovery  
of "world first" issues. This not only keeps the team sharp but also helps  
the industry and vendors as a whole ultimately protecting the end consumer.  
As testimony to their ability and expertise one just has to look at exactly  
how many major vulnerabilities have been discovered by the Cerberus Security  
Team - over 70 to date, making them a clear leader of companies offering  
such security services.  
  
Founded in late 1999, by Mark and David Litchfield, Cerberus Information  
Security, Ltd are located in London, UK but serves customers across the  
World. For more information about Cerberus Information Security, Ltd please  
visit their website or call on +44(0)208 395 4980.  
  
Permission is hereby granted to copy or redistribute this advisory but only  
in its entirety.  
  
Copyright (C) 2000 by Cerberus Information Security, Ltd  
  
`