COMMAND

    Commerce.cgi

SYSTEMS AFFECTED

    Commerce.cgi

PROBLEM

    Following is based on a Midnight Labs CGI Advisory.   Commerce.cgi
    can  have  your  store's  catalog  up  and  running  on the web in
    literally a couple of hours.   The easy to use Store Manager  will
    even allow  you to  add and  remove products  from your  inventory
    right  through  your  web  browser.   Best  of  all,  it's   free,
    vulnerable & open source.

    Adding the  string "/../%00"  infront of  a webpage  document will
    allow an  remote attacker  to be  able to  view any  files on  the
    server, provided that the httpd has the correct permissions.   You
    need to know  the directory and  file for it  to be viewable,  and
    directory listing and remote  command execution doesn't appear  to
    be  possible.   Although   it  may  be   possible  to  view   some
    transactions of cc#'s with the proper tinkering, and depending  on
    if the admin has set proper directory permissions.

    Examples:

        http://VULNERABLE.com/cgi/commerce.cgi?page=../../../../etc/hosts%00index.html

    Will obviously open the hosts file.  Notice the "index.html" being
    added.

        http://VULNERABLE.com/cgi/commerce.cgi?page=../../../../etc/hosts%00.html

    Will NOT work, because there  is no actual webpage entered  behind
    the %00.

    There are some other  variants of commerce.cgi floating  around on
    the web, so if your looking for this commerce.cgi hole, then  keep
    an eye open  for "?page=" within  the url.   All previous versions
    and current of commerce.cgi (2.0  b1) apear to be vulnerable  (the
    ../../'s depend on the paths and what not, play with it).

SOLUTION

    Vendor has  been notified.   A fix  and updated  version has  been
    released on their website.  Update.