Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Commerce)  >   ES.One Vendors:   Thinking Arts
Thinking Arts ES.One Commerce Package Allows Unauthorized File and Directory Listings Outside of the Web Root Directory
SecurityTracker Alert ID:  1000943
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 30 2001
Original Entry Date:  Feb 16 2001
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.2 Beta Reference 1
Description:   It is reported that the Thinking Arts ES.One e-commerce package for Unix/Linux (with Apache) contains a vulnerable cgi script (store.cgi) that allows a remote attacker to view files and directories on the web server.

Adding the string "/../" to a requested URL allows an attacker to view any file or directory on the server that has read permissions for the web server.

Some examples are
^^ = Will obviously open the hosts file.

^^ = Will obviously list the /etc/ directory.

The report notes that the "%00.html" is required at the end of the commands above.

The vendor has reportedly been contacted.

Impact:   An attacker can remotely view files and directory listings.
Solution:   The vendor has released a fixed version (2.2 Release Version).
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  Thinking Arts Store.cgi Directory Traversal


Thinking Arts LTD E-Commerce package comes 
with a webstore frontend called store.cgi which 
allows people to basically order products on their 
website over a SQL database. 

The vendors website is:  

Problem: Simple Directory Traversal

Adding the string "/../" to an URL allows an attacker to 
view any file on the server, and also list directories 
within the server which the owner of the vulnerable 
httpd has permissions to access. Remote execution 
of commands does not apear to be possible with this 
directory traversal bug, but directory listings are. 
Please note that you do need the %00.html at the end 
of your command.

^^ = Will obviously open the hosts file.
^^ = Will obviously list the /etc/ directory. 


Vendor has been contacted. No reply from them yet, 
and seeing only 3 sites who signed up for their dumb 
service are affected, so it doesn't really matter now 
does it?

b10z cgi advisory.

February 16th, 2001.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC