CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
91.3%
The remote host is running the Comersus Shopping Cart Software.
There is a flaw in this interface that allows an attacker to log in as any user by using a SQL injection flaw in the code of comersus_backoffice_login.php.
An attacker may use this flaw to gain unauthorized access on this host, or to gain the control of the remote database.
In addition to this, the remote version of this software may be vulnerable to other issues (see BID 10674).
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if(description)
{
script_id(14183);
script_version("1.25");
script_cve_id("CVE-2004-0681", "CVE-2004-0682");
script_bugtraq_id(10674, 10824);
script_xref(name:"Secunia", value:"12026");
script_xref(name:"Secunia", value:"12183");
script_name(english: "Comersus Cart Multiple Input Validation Vulnerabilities (SQLi, XSS)");
script_summary(english:"Checks for Comersus");
script_set_attribute( attribute:"synopsis", value:
"The web application running on the remote host has multiple
vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The remote host is running the Comersus Shopping Cart Software.
There is a flaw in this interface that allows an attacker to log in
as any user by using a SQL injection flaw in the code of
comersus_backoffice_login.php.
An attacker may use this flaw to gain unauthorized access on
this host, or to gain the control of the remote database.
In addition to this, the remote version of this software may be
vulnerable to other issues (see BID 10674)." );
script_set_attribute(
attribute:"see_also",
value:"https://seclists.org/bugtraq/2004/Jul/71"
);
script_set_attribute(
attribute:"see_also",
value:"https://seclists.org/bugtraq/2004/Aug/14"
);
script_set_attribute(
attribute:"see_also",
value:"https://seclists.org/fulldisclosure/2004/Jul/1245"
);
script_set_attribute(
attribute:"solution",
value:"Upgrade to the latest version of the software."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/02");
script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/06");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english: "CGI abuses");
script_copyright(english: "This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.");
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("www/ASP");
exit(0);
}
# The script code starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:3689);
if (! get_port_state(port)) exit(0);
if (! can_host_asp(port:port)) exit(0);
if (wont_test_cgi(port: port)) exit(0);
foreach dir (make_list( cgi_dirs()))
{
r = http_send_recv3( port: port, method: 'POST',
item:dir + "/comersus_backoffice_login.php",
data: "adminName=admin%27&adminpassword=123456&Submit2=Submit",
add_headers: make_array("Content-Type", "application/x-www-form-urlencoded") );
if (isnull(r)) exit(0);
if (egrep(pattern: "Microsoft.*ODBC.*80040e14", string: r[2]))
{
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}