Reported May 14, 2001, by Defcom Labs.
Carello E-Commerce Server 1.2.1 for Windows NT
A vulnerability exists in Carello E-Commerce Server 1.2.1 for Windows NT that lets an attacker run programs located on the server by using the System Security context. The carello.dll uses full physical paths to execute its scripts instead of paths relative to the Web root.
Peter Gründl also provided the following proof-of-concept scenario:
Typing http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt creates a file on the server called “defcom.txt.”
Discovered by Peter Gründl.