Microsoft Commerce Server 2000 OWC Package Installer Local Command Execution Vulnerability

Microsoft Commerce Server is a web server product for building, deploying, and analyzing e-commerce sites. A remote command execution vulnerability has been reported in some versions of Commerce Server 2000.

The Office Web Component (OWC) package installer will accept an optional command as input. In the event that the attacker has a valid account on the server, including log on credentials, it is possible to cause an arbitrary command to be executed. The supplied command will execute with the privileges of the attacker's account.


Privacy Statement
Copyright 2010, SecurityFocus