|
Vulnerability Carello web shopping cart Affected Windows NT running IIS Description Following is based on Cerberus Security Team Advisory (by Robert Horton). The Cerberus Security Team have discovered a flaw in the Carello web shopping cart that enables attackers to create files on the server's computer. If the file already exists, then a copy of it is made with a slightly different file extension. For example foo.txt becomes foo.txt1. This becomes exploitable when a copy is made of foo.asp as its contents are copied to foo.asp1 which is not a recognised file format. When this page is then requested the source code is downloaded. This can often contain sensitive information such as passwords and the like. The following url: http://charon/scripts/Carello/add.exe?C:\inetpub\iissamples\default\samples.asp will create samples.asp1 which can then be viewed. The attacker needs to know the full path of the file that he/she wishes to copy. This is not difficult to work out as many of the links in the Carello Web product give this information away. There are a large number of executables in the /scripts/Carello directory, and all of the ones tested have exhibited this behaviour. It must be noted however, that the NTFS permissions must also allow for the anonymous Internet account to be able to write to the relevant directory. Solution PSPInc were informed of this. This product is no longer being supported although they say that a new version is due out in a couple of months which fixes these problems.