Vulnerability

    Carello web shopping cart

Affected

    Windows NT running IIS

Description

    Following is based on  Cerberus Security Team Advisory  (by Robert
    Horton).   The Cerberus  Security Team  have discovered  a flaw in
    the Carello  web shopping  cart that  enables attackers  to create
    files on the server's computer.  If the file already exists,  then
    a copy  of it  is made  with a  slightly different file extension.
    For example  foo.txt becomes  foo.txt1.   This becomes exploitable
    when a  copy is  made of  foo.asp as  its contents  are copied  to
    foo.asp1 which is  not a recognised  file format.   When this page
    is then requested the source  code is downloaded.  This  can often
    contain sensitive information such as passwords and the like.

    The following url:

        http://charon/scripts/Carello/add.exe?C:\inetpub\iissamples\default\samples.asp

    will create samples.asp1 which can  then be viewed.  The  attacker
    needs to  know the  full path  of the  file that  he/she wishes to
    copy.  This is not difficult to  work out as many of the links  in
    the Carello Web product give  this information away.  There  are a
    large number of executables in the /scripts/Carello directory, and
    all of the ones tested have exhibited this behaviour.  It must  be
    noted however, that the NTFS  permissions must also allow for  the
    anonymous Internet  account to  be able  to write  to the relevant
    directory.

Solution

    PSPInc were  informed of  this.   This product  is no longer being
    supported although they  say that a  new version is  due out in  a
    couple of months which fixes these problems.