Alert: Carello File Creation flaw

[CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)]

Cerberus Information Security Advisory (CISADV000524b)
http://www.cerberus-infosec.co.uk/advisories.shtml

Released: 24th May 2000
Name: Carello Web file overwriting vulnerability
Affected Systems : Windows NT running IIS
Issue: Remote attackers can write to a server and view
source of .asp files
Author: Robert Horton (hyphen () devilnet-uk net)

Description
***********
The Cerberus Security Team have discovered a flaw in the Carello web
shopping cart that enables attackers to create files on the server's
computer. If the file already exists, then a copy of it is made with a
slightly different file extension. For example foo.txt becomes foo.txt1.
This becomes exploitable when a copy is made of foo.asp as its contents are
copied to foo.asp1 which is not a recognised file format. When this page is
then requested the source code is downloaded. This can often contain
sensitive information such as passwords and the like.

Details
*******

The following url:
http://charon/scripts/Carello/add.exe?C:\inetpub\iissamples\default\samples.
asp
will create samples.asp1 which can then be viewed. The attacker needs to
know the full path of the file that he/she wishes to copy. This is not
difficult to work out as many of the links in the Carello Web product give
this information away. There are a large number of executables in the
/scripts/Carello directory, and all of the ones tested have exhibited this
behaviour. It must me noted however, that the NTFS permissions must also
allow for the anonymous Internet account to be able to write to the relevant
directory.

A check for this has been added to Cerberus' vulnerability scanner CIS,
available from the Cerberus website - http://www.cerberus-infosec.co.uk/

Vendor Status
*************

PSPInc (www.pspinc.com) were informed of this on the 8 May. This product is
no longer being supported although they say that a new version is due out in
a couple of months which fixes these problems.

About Cerberus Information Security, Ltd
*****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 70 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0)208 395 4980.

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd