Introduction: Commerce.cgi can have your store's catalog up and running on the web in literally a couple of hours. The easy to use Store Manager will even allow you to add and remove products from your inventory right through your web browser. Best of all, it's free, vulnerable & open source. The Vendors website is: http://www.commerce-cgi.com Problem: Directory Traversal, Adding the string "/../%00" infront of a webpage document will allow an remote attacker to be able to view any files on the server, provided that the httpd has the correct permissions. You need to know the directory and file for it to be viewable, and directory listing and remote command execution doesn't appear to be possible. Although it may be possible to view some transactions of cc#'s with the proper tinkering, and depending on if the admin has set proper directory permissions. Examples: http://VULNERABLE.com/cgi/commerce.cgi? page=../../../../etc/hosts%00index.html ^^ = Will obviously open the hosts file. Notice the "index.html" being added. http://VULNERABLE.com/cgi/commerce.cgi? page=../../../../etc/hosts%00.html ^^ = Will NOT work, because there is no actual webpage entered behind the %00. Note: There are some other variants of commerce.cgi floating around on the web, so if your looking for this commerce.cgi hole, then keep an eye open for "?page=" within the url. All previous versions and current of commerce.cgi (2.0 b1) apear to be vulnerable. (the ../../'s depend on the paths and what not, play with it) Solution: Vendor has been notified. A fix and updated version has been released on their website. Update. -------------------- Midnight Labs CGI Advisory [EMAIL PROTECTED] Found: February 11th, 2001. Fix Out: February 12th, 2001.