mailing list archives
Cart32 Arbitrary File Download Vulnerability
From: "Paul Craig" <paul.craig () security-assessment com>
Date: Thu, 4 Oct 2007 15:13:35 +1300
= Cart32 Arbitrary File Download Vulnerability
= Vendor Website:
= Affected Version:
= -- All releases prior to and including v6.3
= Public disclosure on Thursday 4th October 2007
Available online at:
== Overview ==
Security-Assessment.com has discovered a highly critical vulnerability
within the Cart32 administrative application. The vulnerability allows
a remote unauthenticated user to arbitrarily download any file present
on the same physical disk that Cart32 is installed on.
The vulnerability stems from a NULL byte injection flaw within a file
== Exploitation ==
The function GetImage, part of c32web.exe displays various images from
a supplied "ImageName" variable.
C32web.exe attempts to prevent arbitrary files from being disclosed by
only returning files with an extension of .jpg, .gif, .png and .pdf.
Any file, of any extension type can be downloaded when a NULL byte is
injected into the ImageName variable with a valid file extension
This vulnerability can be used to read any file on disk, including the
== Solutions ==
A new build of Cart32 v6.4 is available to address this vulnerability.
Security-Assessment.com highly recommends all Cart32 users to upgrade.
== Credit ==
Discovered and advised to McMurtrey/Whitaker & Associates, Inc
October 2007 by Paul Craig of Security-Assessment.com
== Greetings ==
To all my fallen SA brothers.
www.kiwicon.org : Will you be there?
== About Security-Assessment.com ==
Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and
a high level of technical expertise while creating long and lasting
professional relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
Security-Assessment.com is an Endorsed Commonwealth Government of
Australia supplier and sits on the Australian Government
Attorney-General's Department Critical Infrastructure Project panel.
We are certified by both Visa and MasterCard under their Payment
Card Industry Data Security Standard Programs.
- Cart32 Arbitrary File Download Vulnerability Paul Craig (Oct 04)