COMMAND

    uStorekeeper

SYSTEMS AFFECTED

    uStorekeeper(tm) Online Shopping System - ustorekeeper.pl version 1.61 (probably others, but not tested)

PROBLEM

    UkR hacking team found following.   '..' and '/' are not  filtered
    while processing user input, so it is possible to enter  arbitrary
    values to retreive  files from remote  sever, which should  not be
    accessible normally (for ex., /etc/passwd).

    Exploit:

        http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../etc/hosts
        http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../bin/ls |

    zenomorph  from  'cgisecurity'  added  following.   The  following
    advisory was actually  found in december  of 2000 by  the staff at
    cgisecurity.com.  No bugtraq posted was published on the otherhand
    because after speaking with the vendor they informed them that not
    every version  was effected  and that  the newer  versions of this
    product have been patched.  A staff member of cgisecurity.com  did
    make a proof  of exploit for  this code but  they did give  little
    details of the vendor due to them asking them not to.

SOLUTION

    Workaround:

        # this will help in somewhat...
        $input =~ s/[(\.\.)|\/]//g;