Cartweaver ‘helpFileName’ Parameter Local File Include Vulnerability

Summary

Cartweaver is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Credit:

Details

Vulnerable Systems:
 * Cartweaver 4.0

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. Cartweaver 3 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the AdminHelp.php script using the helpFileName parameter, to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information or execute arbitrary code on the vulnerable Web server. Note: In order to exploit this vulnerability to execute arbitrary code, the attacker would first be required to upload a malicious file or inject arbitrary commands into an existing file.

Proof of Concept:

An attacker can exploit the issue with a browser.
The following example URI is available:
http://www.example.com/cw3/admin/helpfiles/AdminHelp.php?helpFileName=a/../../../../../../../../../../../../etc/passwd

Disclosure Timeline:
Published : Oct 15 2012
Updated : Oct 15 2012

Categories: News