Cart32 Arbitrary File Download Vulnerability

Credit: Paul Craig
Risk: High
Local: No
Remote: Yes

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

======================================================================== = Cart32 Arbitrary File Download Vulnerability = = Vendor Website: = = = Affected Version: = -- All releases prior to and including v6.3 = = Public disclosure on Thursday 4th October 2007 = ======================================================================== Available online at: bitrary_File_Download.pdf == Overview == has discovered a highly critical vulnerability within the Cart32 administrative application. The vulnerability allows a remote unauthenticated user to arbitrarily download any file present on the same physical disk that Cart32 is installed on. The vulnerability stems from a NULL byte injection flaw within a file read function. == Exploitation == The function GetImage, part of c32web.exe displays various images from a supplied "ImageName" variable. C32web.exe attempts to prevent arbitrary files from being disclosed by only returning files with an extension of .jpg, .gif, .png and .pdf. Any file, of any extension type can be downloaded when a NULL byte is injected into the ImageName variable with a valid file extension suffixed directly after. Example f g f g This vulnerability can be used to read any file on disk, including the cart32 database. == Solutions == A new build of Cart32 v6.4 is available to address this vulnerability. highly recommends all Cart32 users to upgrade. == Credit == Discovered and advised to McMurtrey/Whitaker & Associates, Inc October 2007 by Paul Craig of == Greetings == To all my fallen SA brothers. SoSD : Will you be there? == About == is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the R&D team are globally recognised through their release of whitepapers and presentations related to new security research. is an Endorsed Commonwealth Government of Australia supplier and sits on the Australian Government Attorney-General's Department Critical Infrastructure Project panel. We are certified by both Visa and MasterCard under their Payment Card Industry Data Security Standard Programs. Paul Craig

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top