ID CVE-2004-0300 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:30:00
Description
SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_brand.php, or (4) the id parameter in listing.php.
{"osvdb": [{"lastseen": "2017-04-28T13:20:11", "bulletinFamily": "software", "cvelist": ["CVE-2004-0300"], "edition": 1, "description": "## Vulnerability Description\nOnline Store Kit contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'shop_by_brand.php' script not properly sanitizing user-supplied input to the 'cat_manufacturer' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nOnline Store Kit contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'shop_by_brand.php' script not properly sanitizing user-supplied input to the 'cat_manufacturer' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/directory/lite/shop_by_brand.php?cat_manufacturer=[SQL]\n## References:\nVendor URL: http://www.alarit.com/\n[Secunia Advisory ID:10902](https://secuniaresearch.flexerasoftware.com/advisories/10902/)\n[Related OSVDB ID: 3973](https://vulners.com/osvdb/OSVDB:3973)\n[Related OSVDB ID: 15448](https://vulners.com/osvdb/OSVDB:15448)\n[Related OSVDB ID: 15446](https://vulners.com/osvdb/OSVDB:15446)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=107712117913185&w=2\n[CVE-2004-0300](https://vulners.com/cve/CVE-2004-0300)\nBugtraq ID: 9687\n", "modified": "2004-02-17T23:50:29", "published": "2004-02-17T23:50:29", "href": "https://vulners.com/osvdb/OSVDB:15447", "id": "OSVDB:15447", "title": "Online Store Kit shop_by_brand.php cat_manufacturer Variable SQL Injection", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:11", "bulletinFamily": "software", "cvelist": ["CVE-2004-0300"], "edition": 1, "description": "## Vulnerability Description\nOnline Store Kit contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'listing.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nOnline Store Kit contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'listing.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/directory/listing.php?id=[SQL]\n## References:\nVendor URL: http://www.alarit.com/\n[Secunia Advisory ID:10902](https://secuniaresearch.flexerasoftware.com/advisories/10902/)\n[Related OSVDB ID: 15447](https://vulners.com/osvdb/OSVDB:15447)\n[Related OSVDB ID: 3973](https://vulners.com/osvdb/OSVDB:3973)\n[Related OSVDB ID: 15446](https://vulners.com/osvdb/OSVDB:15446)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=107712117913185&w=2\n[CVE-2004-0300](https://vulners.com/cve/CVE-2004-0300)\nBugtraq ID: 9687\n", "modified": "2004-02-17T23:50:29", "published": "2004-02-17T23:50:29", "href": "https://vulners.com/osvdb/OSVDB:15448", "id": "OSVDB:15448", "title": "Online Store Kit listing.php id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:11", "bulletinFamily": "software", "cvelist": ["CVE-2004-0300"], "edition": 1, "description": "## Vulnerability Description\nOnline Store Kit contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'shop.php' script not properly sanitizing user-supplied input to the 'cat' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nOnline Store Kit contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'shop.php' script not properly sanitizing user-supplied input to the 'cat' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/directory/shop.php?cat=[SQL]\n## References:\nVendor URL: http://www.alarit.com/\n[Secunia Advisory ID:10902](https://secuniaresearch.flexerasoftware.com/advisories/10902/)\n[Related OSVDB ID: 15447](https://vulners.com/osvdb/OSVDB:15447)\n[Related OSVDB ID: 3973](https://vulners.com/osvdb/OSVDB:3973)\n[Related OSVDB ID: 15448](https://vulners.com/osvdb/OSVDB:15448)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=107712117913185&w=2\n[CVE-2004-0300](https://vulners.com/cve/CVE-2004-0300)\nBugtraq ID: 9687\n", "modified": "2004-02-17T23:50:29", "published": "2004-02-17T23:50:29", "href": "https://vulners.com/osvdb/OSVDB:15446", "id": "OSVDB:15446", "title": "Online Store Kit shop.php cat Variable SQL Injection", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T21:37:49", "description": "Ecommerce Corporation Online Store Kit 3.0 More.PHP id Parameter SQL Injection. CVE-2004-0300. Webapps exploit for php platform", "published": "2003-02-17T00:00:00", "type": "exploitdb", "title": "Ecommerce Corporation Online Store Kit 3.0 More.PHP id Parameter SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0300"], "modified": "2003-02-17T00:00:00", "id": "EDB-ID:23711", "href": "https://www.exploit-db.com/exploits/23711/", "sourceData": "source: http://www.securityfocus.com/bid/9676/info\r\n\r\nMultiple vulnerabilities have been identified in the software due to improper sanitization of user-supplied input. Successful exploitation of these issues could allow an attacker to carry out cross-site scripting and SQL injection attacks via the 'id' parameter of 'more.php' script.\r\n\r\nOnline Store Kit version 3.0 has been reported to be prone to these issues.\r\n\r\nmore.php?id='[SQL injection here]&", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23711/"}, {"lastseen": "2016-02-02T21:38:49", "description": "Ecommerce Corporation Online Store Kit 3.0 shop.php cat Parameter SQL Injection. CVE-2004-0300. Webapps exploit for php platform", "published": "2004-02-18T00:00:00", "type": "exploitdb", "title": "Ecommerce Corporation Online Store Kit 3.0 shop.php cat Parameter SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0300"], "modified": "2004-02-18T00:00:00", "id": "EDB-ID:23718", "href": "https://www.exploit-db.com/exploits/23718/", "sourceData": "source: http://www.securityfocus.com/bid/9687/info\r\n\r\nIt has been reported that Online Store Kit is prone to multiple SQL injection vulnerabilities. These issues arise due to insufficient sanitation of user-supplied input via the URI.\r\n\r\nAs a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It has been reported that an attacker may be able to disclose the administrator password hash by exploiting this issue.\r\n\r\nhttp://www.example.com/directory/shop.php?cat=[query]", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23718/"}, {"lastseen": "2016-02-02T21:38:57", "description": "Ecommerce Corporation Online Store Kit 3.0 shop_by_brand.php cat_manufacturer Parameter SQL Injection. CVE-2004-0300. Webapps exploit for php platform", "published": "2004-02-18T00:00:00", "type": "exploitdb", "title": "Ecommerce Corporation Online Store Kit 3.0 shop_by_brand.php cat_manufacturer Parameter SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0300"], "modified": "2004-02-18T00:00:00", "id": "EDB-ID:23719", "href": "https://www.exploit-db.com/exploits/23719/", "sourceData": "source: http://www.securityfocus.com/bid/9687/info\r\n \r\nIt has been reported that Online Store Kit is prone to multiple SQL injection vulnerabilities. These issues arise due to insufficient sanitation of user-supplied input via the URI.\r\n \r\nAs a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It has been reported that an attacker may be able to disclose the administrator password hash by exploiting this issue.\r\n\r\nhttp://www.example.com/directory/lite/shop_by_brand.php?cat_manufacturer=[query]", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23719/"}, {"lastseen": "2016-02-02T21:39:04", "description": "Ecommerce Corporation Online Store Kit 3.0 listing.php id Parameter SQL Injection. CVE-2004-0300. Webapps exploit for php platform", "published": "2004-02-18T00:00:00", "type": "exploitdb", "title": "Ecommerce Corporation Online Store Kit 3.0 listing.php id Parameter SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0300"], "modified": "2004-02-18T00:00:00", "id": "EDB-ID:23720", "href": "https://www.exploit-db.com/exploits/23720/", "sourceData": "source: http://www.securityfocus.com/bid/9687/info\r\n \r\nIt has been reported that Online Store Kit is prone to multiple SQL injection vulnerabilities. These issues arise due to insufficient sanitation of user-supplied input via the URI.\r\n \r\nAs a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It has been reported that an attacker may be able to disclose the administrator password hash by exploiting this issue.\r\n\r\nhttp://www.example.com/directory/listing.php?id=[query]\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23720/"}], "nessus": [{"lastseen": "2021-01-20T10:04:14", "description": "The remote host is running Ecommerce Corporation Online Store Kit, a\nweb-based e-commerce CGI suite.\n\nThere is a SQL injection vulnerability in the 'id' parameter of\n'more.php'. This could allow a remote attacker to execute arbitrary\nSQL commands, which could be used to take control of the database.\nAdditional vulnerabilities have been reported in various\nscripts, though Nessus has not tested for them.", "edition": 24, "published": "2004-02-17T00:00:00", "title": "Ecommerce Corp. Online Store Kit 3.0 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0300", "CVE-2004-0301"], "modified": "2004-02-17T00:00:00", "cpe": [], "id": "ECOMMERCE_CORP_SQL_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/12062", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif(description)\n{\n script_id(12062);\n script_version(\"1.23\");\n\n script_cve_id(\"CVE-2004-0300\", \"CVE-2004-0301\");\n script_bugtraq_id(9676, 9687);\n\n script_name(english:\"Ecommerce Corp. Online Store Kit 3.0 Multiple Vulnerabilities\");\n script_summary(english:\"More.php MoSQL Injection\");\n \n script_set_attribute( attribute:\"synopsis\", value:\n\"A web application running on the remote host has a SQL injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is running Ecommerce Corporation Online Store Kit, a\nweb-based e-commerce CGI suite.\n\nThere is a SQL injection vulnerability in the 'id' parameter of\n'more.php'. This could allow a remote attacker to execute arbitrary\nSQL commands, which could be used to take control of the database.\nAdditional vulnerabilities have been reported in various\nscripts, though Nessus has not tested for them.\" );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade to the latest version of this software.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/02/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/02/17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port))exit(0);\n\nfunction check_dir(path)\n{\n local_var req, res;\n\n req = string(path, \"/more.php?id=1'\");\n res = http_send_recv3(method:\"GET\", item:req, port:port);\n if (isnull(res)) exit(0);\n\n if ( \"SELECT catid FROM catlink WHERE prodid=1\" >< res[2] )\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); \n exit(0);\n }\n}\n\nforeach dir (cgi_dirs())\n {\n \tcheck_dir(path:dir);\n }\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
