CVE-1999-1069

iCat Carbo Server 3.0.0 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-1069. PoCs published by Mikael Johansson.

AI-analyzed exploit summary The vulnerability in iCat Electronic Commerce Suite's Carbo Server component allows directory traversal via malformed HTTP requests, enabling unauthorized file access. The provided example demonstrates how an attacker can retrieve arbitrary files by manipulating the 'icatcommand' parameter.

Description

Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Mikael Johansson · textremotemultiple
https://www.exploit-db.com/exploits/20513

The vulnerability in iCat Electronic Commerce Suite's Carbo Server component allows directory traversal via malformed HTTP requests, enabling unauthorized file access. The provided example demonstrates how an attacker can retrieve arbitrary files by manipulating the 'icatcommand' parameter.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: iCat Electronic Commerce Suite (Carbo Server component)
No auth needed
Prerequisites: Network access to the target system · Carbo Server component exposed to HTTP requests
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/1620
Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/7943
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/2126

Scores

EPSS 0.0805
EPSS Percentile 94.1%

Details

Status published
Products (1)
icat/electronic_commerce_suite 3.0.0
Published Nov 08, 1997
Tracked Since Feb 18, 2026