COMMAND

    Carello E-Commerce

SYSTEMS AFFECTED

    Carello E-Commerce V1.2.1 for Windows NT

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-25 by  Peter
    Grundl.  A  malicious user can  execute arbitrary commands  on the
    E-Commerce server with the privileges of the web server.

    The Carello.dll  utilizes full  physical path  to execute  Carello
    scripts instead  of paths  relative to  the webroot.   Some  input
    validation  has  been  inserted  in  the  program,  but  not  to a
    sufficient degree, as can be seen from the following example:

        http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt

    The example will  result in INETINFO.EXE  spiking at 100%  CPU and
    the  web  server  will  no  longer  answer  HTTP  requests.    The
    webservice can not be  stopped/restarted and the server  will need
    to  be  rebooted  to  regain  functionality.   The command will be
    executed  with  the  privileges  of  the  web  server, which, when
    dealing with IIS, usually means LocalSystem Access.

    The test was performed on a Windows NT 4.0 Server with SP 6a.

SOLUTION

    Pacific  Software  Publishing,  Inc.  has  released version 1.3 to
    correct the problem and introduce  support for Windows 2000.   You
    can download it at http://www.carelloweb.com