CVE-2007-5253

Cart32 < 6.3 - Arbitrary File Read via ImageName Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-5253. PoCs published by Paul Craig.

AI-analyzed exploit summary The exploit demonstrates an arbitrary file download vulnerability in Cart32 by manipulating the 'ImageName' parameter with null byte injection to bypass file extension checks. This allows attackers to retrieve sensitive files from the server.

Description

c32web.exe in McMurtrey/Whitaker Cart32 before 6.4 allows remote attackers to read arbitrary files via the ImageName parameter in a GetImage action, by appending a NULL byte (%00) sequence followed by an image file extension, as demonstrated by a request for a ".txt%00.gif" file. NOTE: this might be a directory traversal vulnerability.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Paul Craig · textwebappscgi

https://www.exploit-db.com/exploits/30639

View Code ZIP pw:eip

The exploit demonstrates an arbitrary file download vulnerability in Cart32 by manipulating the 'ImageName' parameter with null byte injection to bypass file extension checks. This allows attackers to retrieve sensitive files from the server.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cart32 6.3 and prior versions

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK