HTTP: Carello 1.3 Remote File Execution
This signature detects attempts to exploit a known vulnerability in Carello Shopping Cart. Version 1.3 and prior are vulnerable. To pass data between scripts during a session, the Web server uses insecure hidden form fields to specify local executables. Attackers can specify an external executable to compromise the system.
Extended Description
A vulnerability exists in Carello which could enable a remote user to execute arbitrary commands on the vulnerable system. Reportedly, the flaw exists in the way Carello.dll accepts HTTP requests. The Carello.dll library doesn't ensure proper checking of user supplied input for HTTP requests containing directory traversal sequences.
Affected Products
Pacific_software carello
References
BugTraq: 5192
CVE: CVE-2002-0683
URL: http://www.carelloweb.com http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt
Short Name
HTTP:PKG:CARELLO-VBEXEC
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
1.3 CVE-2002-0683 Carello Execution File Remote bid:5192
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Pacific_software
CVSS Score
7.5