SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Commerce)  >   ES.One Vendors:   Thinking Arts
Thinking Arts ES.One Commerce Package Allows Unauthorized File and Directory Listings Outside of the Web Root Directory
SecurityTracker Alert ID:  1000943
SecurityTracker URL:  http://securitytracker.com/id/1000943
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 30 2001
Original Entry Date:  Feb 16 2001
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.2 Beta Reference 1
Description:   It is reported that the Thinking Arts ES.One e-commerce package for Unix/Linux (with Apache) contains a vulnerable cgi script (store.cgi) that allows a remote attacker to view files and directories on the web server.

Adding the string "/../" to a requested URL allows an attacker to view any file or directory on the server that has read permissions for the web server.

Some examples are
httpStartID=../etc/hosts%00.html
^^ = Will obviously open the hosts file.

httpStartID=../etc/%00.html
^^ = Will obviously list the /etc/ directory.

The report notes that the "%00.html" is required at the end of the commands above.

The vendor has reportedly been contacted.

Impact:   An attacker can remotely view files and directory listings.
Solution:   The vendor has released a fixed version (2.2 Release Version).
Vendor URL:  www.thinkingarts.com/thinkingarts/incidents.htm (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Thinking Arts Store.cgi Directory Traversal


Introduction:

Thinking Arts LTD E-Commerce package comes 
with a webstore frontend called store.cgi which 
allows people to basically order products on their 
website over a SQL database. 


The vendors website is:
http://www.thinkingarts.com/  


Problem: Simple Directory Traversal

Adding the string "/../" to an URL allows an attacker to 
view any file on the server, and also list directories 
within the server which the owner of the vulnerable 
httpd has permissions to access. Remote execution 
of commands does not apear to be possible with this 
directory traversal bug, but directory listings are. 
Please note that you do need the %00.html at the end 
of your command.


Examples:

http://www.VULNERABLE.com/cgi-bin/store.cgi?
StartID=../etc/hosts%00.html
^^ = Will obviously open the hosts file. 

http://www.VULNERABLE.com/cgi-bin/store.cgi?
StartID=../etc/%00.html
^^ = Will obviously list the /etc/ directory. 



Solution:

Vendor has been contacted. No reply from them yet, 
and seeing only 3 sites who signed up for their dumb 
service are affected, so it doesn't really matter now 
does it?


--------------------
b10z cgi advisory.
slipy@b10z.net

February 16th, 2001.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC