CVE-2000-0396

Carello - Unauthenticated Arbitrary File Read via add.exe File Duplication

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0396. PoCs published by Cerberus Security Team.

AI-analyzed exploit summary This exploit leverages a file duplication vulnerability in Carello shopping cart software via the add.exe script, allowing remote users to read and write files on the target system by appending a '1' to the filename. It requires the anonymous internet account to have write access to the relevant directories.

Description

The add.exe program in the Carello shopping cart software allows remote attackers to duplicate files on the server, which could allow the attacker to read source code for web scripts such as .ASP files.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Cerberus Security Team · textremotewindows

https://www.exploit-db.com/exploits/19957

View Code ZIP pw:eip

This exploit leverages a file duplication vulnerability in Carello shopping cart software via the add.exe script, allowing remote users to read and write files on the target system by appending a '1' to the filename. It requires the anonymous internet account to have write access to the relevant directories.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Carello shopping cart software

No auth needed

Prerequisites: Anonymous internet account with write access to target directories

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/1245

Third Party Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2000-05/0285.html

Scores

EPSS 0.0687

EPSS Percentile 93.2%

Details

Status published

Products (1)

pacific_software/carello 1.2.1

Published May 24, 2000

Tracked Since Feb 18, 2026