COMMAND

	Carello web shopping solution remote file execution

SYSTEMS AFFECTED

	Carello 1.3

PROBLEM

	In  Matt   Moore   [matt@westpoint.ltd.uk]   advisory   [ID#:wp-02-0012]
	[http://www.westpoint.ltd.uk] :
	

	Carello uses hidden form fields to specify the names of  executables  on
	the server which  are  to  handle  POSTed  form  data.  This  allows  an
	attacker to manipulate the HTML to specify arbitrary executables,  which
	the Carello server software  will  then  run.  For  example,  a  typical
	section of an HTML page created by Carello looks  like  (angle  brackets
	omitted):
	

	form method=\"POST\" action= \"http://server/scripts/Carello/Carello.dll\"

	input type=\"hidden\" name=\"CARELLOCODE\" value=\"WESTPOINT\"

	input type=\"hidden\" name=\"VBEXE\" value= \"c:\\inetpub\\..carello-exe-file\"

	input type=....etc etc

	

	Carello .dll only appears to check that the  string  \'inetpub\'  is  in
	the requested path.
	

	Hence, specifying a value like:
	

	c:\\inetpub\\..\\..\\..\\..\\..\\..\\winnt\\notepad.exe \'

	

	bypasses this check, allowing arbitrary files to be executed.

SOLUTION

	None yet