Comdev eCommerce 3.0 Multiple Vulnerabilities (RFI, Traversal)

2005-08-07T00:00:00
ID COMDEV_ECOMMERCE_DOCROOT_FILE_INCLUDES.NASL
Type nessus
Reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
Modified 2020-10-02T00:00:00

Description

The remote host is running eCommerce, a web-based shopping system from Comdev.

The installed version of eCommerce allows remote attackers to control the 'path[docroot]' parameter used when including PHP code in the 'config.php' script. By leveraging this flaw, an attacker may be able to view arbitrary files on the remote host and execute arbitrary PHP code, possibly taken from third-party hosts.

There is also a directory traversal vulnerability in the product involving the 'wce.download.php' script, by which an attacker can read the contents of arbitrary files on the remote host.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(19393);
  script_version("1.17");

  script_cve_id("CVE-2005-2543", "CVE-2005-2544");
  script_bugtraq_id(14478, 14479);

  script_name(english:"Comdev eCommerce 3.0 Multiple Vulnerabilities (RFI, Traversal)");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running eCommerce, a web-based shopping system from
Comdev. 

The installed version of eCommerce allows remote attackers to control
the 'path[docroot]' parameter used when including PHP code in the
'config.php' script.  By leveraging this flaw, an attacker may be able
to view arbitrary files on the remote host and execute arbitrary PHP
code, possibly taken from third-party hosts. 

There is also a directory traversal vulnerability in the product
involving the 'wce.download.php' script, by which an attacker can read
the contents of arbitrary files on the remote host." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/407469/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/407473/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/07");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/04");
 script_cvs_date("Date: 2018/11/15 20:50:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for multiple vulnerabilities in eCommerce";
  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit the flaw in config.php to read /etc/passwd.
  r = http_send_recv3(method:"GET", port: port,
    item:string(
      dir, "/config.php?",
      "path[docroot]=/etc/passwd%00"));
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if...
  if (
    # there's an entry for root or...
    egrep(string:res, pattern:"root:.*:0:[01]:") ||
    # we get an error saying "failed to open stream" or "Failed opening".
    #
    # nb: this suggests magic_quotes_gpc was enabled but passing 
    #     remote URLs might still work.
    egrep(string:res, pattern:"Warning: main\(/etc/passwd.+failed to open stream") ||
    egrep(string:res, pattern:"Warning: .+ Failed opening '/etc/passwd.+for inclusion")
  ) {
    security_warning(port);
    exit(0);
  }
}