SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Virtual Catalog Vendors:   Virtual Focus
VirtualCatalog Commerce Application Discloses Script Source Code to Remote Users and Lets Remote Users Execute Certain Commands via the Web Server
SecurityTracker Alert ID:  1001707
SecurityTracker URL:  http://securitytracker.com/id/1001707
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 12 2001
Original Entry Date:  Jun 8 2001
Impact:   Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All versions appear to be affected
Description:   Cgisecurity.com reported a vulnerability in Virtual Focus's VirtualCatalog shopping cart that allows a remote user to execute commands on the web server and obtain files from the web server, including the source code of the shopping cart cgi scripts.

The vulnerability is reportedly due to the lack of validation checking on a template variable in CatalogMgr.pl. As a result, a remote user can execute commands on the web server with the privileges of the web server.

This vulnerability could allow a remote user to obtain the source code of the scripts using the following type of request:

http://[targethost]/cgi-bin/CatalogMgr.pl?cartID=<valid-id>&template=CatalogMgr.pl
(Note: Paths may vary)

It is reported that the vendor discovered additional vulnerabilities that are not described in this alert when the vendor was patching the reported vulnerability.

[Alert Modification: This was originally reported as a vulnerability in VirtualCart. However, the vulnerability resides in VirtualCatalog.]

Impact:   A remote user can execute commands via the web server with the privileges of the web server. Using these commands, the remote user can obtain files from the web server, including the source code of the shopping cart scripts.
Solution:   The vendor has released a patch which is reportedly available at: http://www.cgisecurity.net/advisory/patch/VirtualCatalog.tar.gz

Vendor URL:  www.vcart.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  cgisecurity.com Advisory #5



Well I had about 3 advisories I was working on but my HD died
and this was the only thing I could salvage. The vendor's patch
is also contained below in a url.


- zenomorph




                               [ Cgi Security Advisory #5 ]
                                  admin@cgisecurity.com
                                 VirtualCart Shopping Cart

Found
April 2001


Public release
June 2001


Vendor Contacted:
April 2001


Script Effected: VirtualCart Shopping Cart
Price: $199.00 for a single user license


Versions:
All versions appear to be effected


Platforms:
Unix, Linux, NT


Vendor:
http://www.vcart.com


Vendor Patch:
http://www.cgisecurity.net/advisory/patch/VirtualCatalog.tar.gz



1. Problem

The problem lies in a file called CatalogMgr.pl.
The template variable does no validation checking and due to this
remote command execution is possible as the uid of the webserver.
(Usually user www or nobody)


The following request listed below would allow grabbing of the scripts
own sourcecode.

http://host/cgi-bin/CatalogMgr.pl?cartID=<valid-id>&template=CatalogMgr.pl
(Note: Paths may vary)



2. Fixes

The vendor has been contacted about this security issue.
Check the vendor webpage for futher updates or use the
vendor patch provided above towards the top of this advisory.

One quick solution to fix the remote command execution would be to put this
script into "Taint mode". This is done my modifying the path to perl at the
very top of this script. Simply change #!/usr/bin/perl to #!/usr/bin/perl -T.

It is also noted that the vendor found 3 other holes after we contacted them
and the patch above fixes those holes as well.



Published to the Public June 2001
Copyright May 2001 Cgisecurity.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC