Signature Detail
Short Name |
HTTP:PKG:CARELLO-VBEXEC |
|---|---|
Severity |
Medium |
Recommended |
No |
Category |
HTTP |
Keywords |
Carello 1.3 Remote File Execution |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Carello 1.3 Remote File Execution
This signature detects attempts to exploit a known vulnerability in Carello Shopping Cart. Version 1.3 and prior are vulnerable. To pass data between scripts during a session, the Web server uses insecure hidden form fields to specify local executables. Attackers can specify an external executable to compromise the system.
Extended Description
A vulnerability exists in Carello which could enable a remote user to execute arbitrary commands on the vulnerable system. Reportedly, the flaw exists in the way Carello.dll accepts HTTP requests. The Carello.dll library doesn't ensure proper checking of user supplied input for HTTP requests containing directory traversal sequences.
Affected Products
- Pacific Software Carello 1.3.0
References
- BugTraq: 5192
- CVE: CVE-2002-0683
- URL: http://www.carelloweb.com
- URL: http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt