Hassan Consulting Shopping Cart Allows Remote Users to Execute Shell Commands on the Server
|
|
SecurityTracker Alert ID: 1002379 |
|
SecurityTracker URL: http://securitytracker.com/id/1002379
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 8 2001
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.23, possibly earlier versions
|
Description:
An input validation vulnerability was reported in Hassan Consulting's Shopping Cart that allows remote users to execute commands on the server with the privileges of the web server.
It is reported that "../" characters are filtered but that commands can be executed.
A demonstration exploit URL is provided:
http://[targethost]/cgi-local/shop.pl/SID=947626980.19094/page=;ls|
|
Impact:
A remote user can execute commands on the server with the privileges of the web server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.irata.com/products.html (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 8 Sep 2001 05:31:26 -0000
Subject: Shopping Cart Version 1.23
|
User can execute command, but can't use "../"
www.server.com/cgi-
local/shop.pl/SID=947626980.19094/page=;ls|
XP-TEAM
Don_Huan
xakepsin@quake.ru
|
|
