COMMAND

    Store.cgi

SYSTEMS AFFECTED

    Thinking Arts Store.cgi

PROBLEM

    Following is based on a b10z cgi advisory by slipy.  Thinking Arts
    LTD  E-Commerce  package  comes  with  a  webstore frontend called
    store.cgi which allows people to basically order products on their
    website over a SQL database.

    Adding the string "/../" to an URL allows an attacker to view  any
    file on the  server, and also  list directories within  the server
    which the owner of the vulnerable httpd has permissions to access.
    Remote execution of  commands does not  apear to be  possible with
    this directory traversal bug, but directory listings are.   Please
    note that you do need the %00.html at the end of your command.

    Examples:

        http://www.VULNERABLE.com/cgi-bin/store.cgi?
        StartID=../etc/hosts%00.html
        ^^ = Will obviously open the hosts file.
        
        http://www.VULNERABLE.com/cgi-bin/store.cgi?
        StartID=../etc/%00.html
        ^^ = Will obviously list the /etc/ directory.

SOLUTION

    Vendor has been contacted.  No reply from them yet.