Published:2015/03/20  Last Updated:2015/03/20

Information from futomi Co., Ltd.

Vulnerability ID:JVN#39175666
Title:MP Form Mail CGI eCommerce edition vulnerable to code injection
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

[Overview]

MP Form Mail CGI eCommerce edition contains a code injection vulnerability only if this CGI is used on Windows Server. Remote attackers leveraging this vulnerability may be able to execute arbitrary code on the server in which this CGI is installed.

Though this CGI does not support Windows Server officially, it actually can be used on Windows Server and some users are using this CGI on Window Server. Thus This CGI was updated.


[Affected Products]

- MP From Mail CGI eCommerce Edition version 2.0.11 and earlier.

(If this CGI is used on other than Windows Server such as Linux Server, it is *not* affected by this vulnerability.)


[Solution]

If MP Form Mail CGI eCommerce Edition is used on Windows Server, update it to the latest version.

http://www.futomi.com/library/mpmailec.html