Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Commerce)  >   Carello Shopping Cart Vendors:   Pacific Software Publishing
Carello Shopping Cart Input Validation Flaw in 'VBEXE' Parameter Lets Remote Users Cause Files on the Server to Be Executed
SecurityTracker Alert ID:  1004735
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 10 2002
Impact:   Execution of arbitrary code via network

Version(s): 1.3
Description:   A vulnerability was reported in the Carello Shopping Cart. A remote user can cause files on the server to be executed.

Westpoint issued an advisory warning that a remote user can submit a specially crafted HTML form to cause the server software to execute any executable file located on the system. The vulnerability can be triggered by manipulating the 'VBEXE' form value using directory traversal characters ('\..'), as shown below:

<input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file">

It is reported that the Carello .dll apparently validates that the string 'inetpub' is in the requested path but does not ensure that the path is an authorized path.

A demonstration value is provided:


According to the report, it is not possible to pass parameters to the executable.

The vendor has reportedly been notified.

Impact:   A remote user can cause a user-specified file on the server to be executed.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  [VulnWatch] wp-02-0012: Carello 1.3 Remote File Execution

Westpoint Security Advisory

Title:          Carello 1.3 Remote File Execution
Risk Rating:    Medium
Software:       Carello Shopping Cart
Platforms:      Win2k, WinNT
Vendor URL:
Author:         Matt Moore <>
Date:           10th July 2002
Advisory ID#:   wp-02-0012


Carello 1.3 is a web based shopping cart solution, which uses hidden 
HTML form
fields to specify executables to handle POSTed form data.


Remote File Execution

Carello uses hidden form fields to specify the names of executables on 
the server which
are to handle POSTed form data. This allows an attacker to manipulate 
the HTML to
specify arbitrary executables, which the Carello server software will 
then run. For
example, a typical section of an HTML page created by Carello looks like 
(angle brackets

form method="POST" action= "http://server/scripts/Carello/Carello.dll"
input type="hidden" name="CARELLOCODE" value="WESTPOINT"
input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file"
input type=....etc etc

Carello .dll only appears to check that the string 'inetpub' is in the 
requested path.

Hence, specifying a value like ' 
c:\inetpub\..\..\..\..\..\..\winnt\notepad.exe '
bypasses this check, allowing arbitrary files to be executed.

It does not appear to be possible to pass parameters to the executed 
which lessens the severity of this vulnerability. However, it would be 
more serious
if an attacker could upload files to the server (e.g. via ftp)

Vendor response:
The vendor indicated that the vulnerability will be fixed in the next 
of Carello. When asked for an expected release date, they replied that:

'Unfortunately, we do not have a plan to upgrade the program so far. But 
I put
your indication on our program modification request list.'

This advisory is available online at:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC