SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   1C-Arcadia Internet Store Vendors:   Arcadia, Inc.
1C:Arcadia Internet Store Web Commerce System Discloses Files to Remote Users and Lets Remote Users Crash the Application
SecurityTracker Alert ID:  1001811
SecurityTracker URL:  http://securitytracker.com/id/1001811
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 22 2001
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   Several vulnerabilities have been reported in Arcadia's 1C:Arcadia Internet Store commerce system that allow remote users to locate the scripts directory, read files on the server, and crash the system.

The vulnerabilities reportedly reside in the tradecli.dll module.

The following URL can be used by a remote user to determine the full path to the scripts directory:

http://[targethost]/scripts/tradecli.dll?template=nonexistfile

A remote user can use the following type of URL to navigate up and down directories on the drive that the application is installed on and view files:

http://[targethost]/script/tradecli.dll?template=..\..\..\..\..\path\to\file

A remote user can cause the application to crash by requesting certain MS-DOS devices (e.g., com1, com2, com3, con, prn, aux), using a URL such as the following:

http://[targethost]/scripts/tradecli.dll?template=com1

Impact:   A remote user can send URLs to the server that will display the full path location of the scripts directory, display files located anywhere on the drive that the application is installed on, and crash the application.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.magazin.ru/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  NERF Advisory #2 - 1C:Arcadia multiple vulnerablilities.


                     --== NERF gr0up security advisory #2 ==--
    
      Multiple vulnerabilities in web-shop 1C: Arcadia, in module tradecli.dll

1. Show path scripts directory.

Exploit: http://host/scripts/tradecli.dll?template=nonexistfile

Will show error message, witch consist full path to work dir (usually /scripts).
Advice for developers: print this messages only to Event Log.

2. Read any file from drive.

Description:
tradecli.dll - language interpriteter of 1C: Arcadia. It will work up file, pointed in template, interpret
tags, bigining with underline sysmbol (example, <_include...>), all the rest read without changes, put in
ASCIIZ line and then print as result.

Path, pointed in variable template, will not work up for special symbols, so you can get direcory up
(..\) and the full path to file, you may read file only from drive, where lies work directory of 
tradecli.dll.

Exploit: http://host/script/tradecli.dll?template=..\..\..\..\..\path\to\file

Reading of binary files will be embarrassing, because data after 0
symbol will'nt print.

Advice for developers: check for existing file, pointed in template.
Advice for admins: limit perms for tradecli.dll

3. Crash ISAPI-applications (DoS)

Description:
Opening of files: com1, com2, etc. Windows NT application will crash,
that will crash all application (1C: Arcadia), consequently site.

Exploit:
http://host/scripts/tradecli.dll?template=com1
http://host/scripts/tradecli.dll?template=com2
http://host/scripts/tradecli.dll?template=com3
http://host/scripts/tradecli.dll?template=con
http://host/scripts/tradecli.dll?template=prn
http://host/scripts/tradecli.dll?template=aux

Advice for developers: in Windows system befor openning file, you
have to check file for existing (FindOpen etc.)
Advice for admins: wait for next release

----------------------------------------------
Bug found by buggzy, NERF Security gr0up, 2001
www.nerf.ru, buggzy@nerf.ru 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC