Westpoint Security Advisory Title: Carello 1.3 Remote File Execution Risk Rating: High Software: Carello Shopping Cart Platforms: Win2k, WinNT Vendor URL: www.carelloweb.com Author: Matt Moore <matt@westpoint.ltd.uk> Date: 10th July 2002 Advisory ID#: wp-02-0012 Revision: Updated 22/02/2002 (see addendum) Overview: ========= Carello 1.3 is a web based shopping cart solution, which uses hidden HTML form fields to specify executables to handle POSTed form data. Details: ======== Remote File Execution --------------------- Carello uses hidden form fields to specify the names of executables on the server which are to handle POSTed form data. This allows an attacker to manipulate the HTML to specify arbitrary executables, which the Carello server software will then run. For example, a typical section of an HTML page created by Carello looks like (angle brackets omitted): form method="POST" action= "http://server/scripts/Carello/Carello.dll"; input type="hidden" name="CARELLOCODE" value="WESTPOINT" input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file" input type=....etc etc Hence, by specifying a value like ' c:\..\..\..\..\..\..\..\.\winnt\notepad.exe ' an attacker can execute arbitrary files. Vendor response: ================ The vendor indicated that the vulnerability will be fixed in the next version of Carello. When asked for an expected release date, they replied that: 'Unfortunately, we do not have a plan to upgrade the program so far. But I put your indication on our program modification request list.' This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt Addendum: ========= 22/02/2002 - New information. Westpoint would like to thank Peter Grundl of KPMG for providing additional information on this vulnerability: Exploitable via GET requests ----------------------------- The vulnerability can be exploited by making a GET request to the vulnerable .dll and specifying the 'VBEXE' as a parameter. Passing parameters to the invoked executable ---------------------------------------------- It is possible to pass parameters to the executables invoked using this vulnerability. For example: /scripts/Carello/Carello.dll?VBEXE= c:\.\winnt\system32\cmd.exe%20/c%20dir >c:\dir.txt Carello attempts to verify that the VBEXE file specified is not in %systemroot% - prepending \.\ to the path circumvents this restriction.
