Carello E-Commerce Server Allows Remote Command Execution

Reported May 14, 2001, by Defcom Labs.

VERSION AFFECTED

  • Carello E-Commerce Server 1.2.1 for Windows NT

 

DESCRIPTION
A vulnerability exists in Carello E-Commerce Server 1.2.1 for Windows NT that lets an attacker run programs located on the server by using the System Security context. The carello.dll uses full physical paths to execute its scripts instead of paths relative to the Web root.

 

 

DEMONSTRATION

Peter Gründl also provided the following proof-of-concept scenario:

Typing http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt creates a file on the server called “defcom.txt.”

 

VENDOR RESPONSE

The vendor, Carello, acknowledges this vulnerability and has released version 1.3 to correct this vulnerability.

 

CREDIT
Discovered by Peter Gründl.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish