[ Cgi Security Advisory #5 ] admin@cgisecurity.com VirtualCatalog Product Manager [CORRECTED] Found April 2001 Public release June 2001 Vendor Contacted: April 2001 Script Effected: VirtualCatalog Product Manager Price: $199.00 for a single user license Versions: All versions appear to be effected Platforms: Unix, Linux, NT Vendor: http://www.vcart.com 1. Problem The problem lies in a file called CatalogMgr.pl. The template variable does no validation checking and due to this remote command execution is possible as the uid of the webserver. (Usually user www or nobody) The following request listed below would allow grabbing of the scripts own sourcecode. http://host/cgi-bin/CatalogMgr.pl?cartID=&template=CatalogMgr.pl (Note: Paths may vary) 2. Fixes The vendor has been contacted about this security issue. Check the vendor webpage for futher updates or use the vendor patch provided above towards the top of this advisory. One quick solution to fix the remote command execution would be to put this script into "Taint mode". This is done my modifying the path to perl at the very top of this script. Simply change #!/usr/bin/perl to #!/usr/bin/perl -T. It is also noted that the vendor found 3 other holes after we contacted them and the patch above fixes those holes as well. 3. Corrections This advisory was originally published under VirtualCart Shopping software. There was an error when forming this advisory due to lack of communication and data loss of important notes due to HD failure. There is no security issue in VirtualCart Shopping software and we appologise for this serious error. Published to the Public June 2001 Copyright May 2001 Cgisecurity.com