ID OPENVAS:136141256231016227 Type openvas Reporter Copyright (C) 2005 Noam Rathaus Modified 2020-05-06T00:00:00
Description
Comersus ASP shopping cart is a set of ASP scripts creating an online
shoppingcart. It works on a database of your own choosing, default is msaccess, and includes online
administration tools.
###############################################################################
# OpenVAS Vulnerability Test
#
# Comersus BackOffice Lite Administrative Bypass
#
# Authors:
# Noam Rathaus
#
# Copyright:
# Copyright (C) 2005 Noam Rathaus
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
# Subject: bug report comersus Back Office Lite 6.0 and 6.0.1
# From: "raf somers" <beltech2bugtraq@hotmail.com>
# Date: 2005-01-21 18:07
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.16227");
script_version("2020-05-06T06:57:16+0000");
script_cve_id("CVE-2005-0301");
script_bugtraq_id(12362);
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"last_modification", value:"2020-05-06 06:57:16 +0000 (Wed, 06 May 2020)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_name("Comersus BackOffice Lite Administrative Bypass");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2005 Noam Rathaus");
script_family("Web application abuses");
script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "global_settings.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_tag(name:"solution", value:"Delete the file '/comersus_backoffice_install10.asp' from the
server as it is not needed after the installation process has been completed.");
script_tag(name:"summary", value:"Comersus ASP shopping cart is a set of ASP scripts creating an online
shoppingcart. It works on a database of your own choosing, default is msaccess, and includes online
administration tools.");
script_tag(name:"impact", value:"By accessing the /comersus_backoffice_install10.asp file it is possible
to bypass the need to authenticate as an administrative user.");
script_tag(name:"qod_type", value:"remote_app");
script_tag(name:"solution_type", value:"Workaround");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
port = http_get_port( default:80 );
if( ! http_can_host_asp( port:port ) ) exit( 0 );
host = http_host_name( port:port );
foreach dir( make_list_unique( "/comersus/backofficeLite", "/comersus", http_cgi_dirs( port:port ) ) ) {
if( dir == "/" ) dir = "";
url = dir + "/comersus_backoffice_install10.asp";
req = http_get( item:url, port:port );
r = http_keepalive_send_recv( port:port, data:req );
if( isnull( r ) ) continue;
if( 'Installation complete' >< r && 'Final Step' >< r && 'Installation Wizard' >< r ) {
v = eregmatch( pattern:"Set-Cookie[0-9]?: *([^; ]+)", string:r );
if( ! isnull( v ) ) {
cookie = v[1];
req = string( "GET ", dir, "/comersus_backoffice_settingsModifyForm.asp HTTP/1.1\r\n",
"Host: ", host, "\r\n",
"Cookie: ", cookie, "\r\n",
"\r\n" );
r = http_keepalive_send_recv( port:port, data:req );
if( isnull( r ) ) continue;
if( 'Modify Store Settings' >< r && 'Basic Admin Utility' >< r ) {
report = http_report_vuln_url( port:port, url:url );
security_message( port:port, data:report );
exit( 0 );
}
}
}
}
exit( 99 );
{"id": "OPENVAS:136141256231016227", "type": "openvas", "bulletinFamily": "scanner", "title": "Comersus BackOffice Lite Administrative Bypass", "description": "Comersus ASP shopping cart is a set of ASP scripts creating an online\n shoppingcart. It works on a database of your own choosing, default is msaccess, and includes online\n administration tools.", "published": "2005-11-03T00:00:00", "modified": "2020-05-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231016227", "reporter": "Copyright (C) 2005 Noam Rathaus", "references": [], "cvelist": ["CVE-2005-0301"], "lastseen": "2020-05-08T16:40:16", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0301"]}, {"type": "osvdb", "idList": ["OSVDB:13164"]}], "modified": "2020-05-08T16:40:16", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-05-08T16:40:16", "rev": 2}, "vulnersScore": 5.2}, "pluginID": "136141256231016227", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Comersus BackOffice Lite Administrative Bypass\n#\n# Authors:\n# Noam Rathaus\n#\n# Copyright:\n# Copyright (C) 2005 Noam Rathaus\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n# Subject: bug report comersus Back Office Lite 6.0 and 6.0.1\n# From: \"raf somers\" <beltech2bugtraq@hotmail.com>\n# Date: 2005-01-21 18:07\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.16227\");\n script_version(\"2020-05-06T06:57:16+0000\");\n script_cve_id(\"CVE-2005-0301\");\n script_bugtraq_id(12362);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 06:57:16 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_name(\"Comersus BackOffice Lite Administrative Bypass\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2005 Noam Rathaus\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"solution\", value:\"Delete the file '/comersus_backoffice_install10.asp' from the\n server as it is not needed after the installation process has been completed.\");\n\n script_tag(name:\"summary\", value:\"Comersus ASP shopping cart is a set of ASP scripts creating an online\n shoppingcart. It works on a database of your own choosing, default is msaccess, and includes online\n administration tools.\");\n\n script_tag(name:\"impact\", value:\"By accessing the /comersus_backoffice_install10.asp file it is possible\n to bypass the need to authenticate as an administrative user.\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\nif( ! http_can_host_asp( port:port ) ) exit( 0 );\n\nhost = http_host_name( port:port );\n\nforeach dir( make_list_unique( \"/comersus/backofficeLite\", \"/comersus\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n\n url = dir + \"/comersus_backoffice_install10.asp\";\n req = http_get( item:url, port:port );\n r = http_keepalive_send_recv( port:port, data:req );\n if( isnull( r ) ) continue;\n if( 'Installation complete' >< r && 'Final Step' >< r && 'Installation Wizard' >< r ) {\n\n v = eregmatch( pattern:\"Set-Cookie[0-9]?: *([^; ]+)\", string:r );\n\n if( ! isnull( v ) ) {\n cookie = v[1];\n req = string( \"GET \", dir, \"/comersus_backoffice_settingsModifyForm.asp HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Cookie: \", cookie, \"\\r\\n\",\n \"\\r\\n\" );\n r = http_keepalive_send_recv( port:port, data:req );\n if( isnull( r ) ) continue;\n if( 'Modify Store Settings' >< r && 'Basic Admin Utility' >< r ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n }\n}\n\nexit( 99 );\n", "naslFamily": "Web application abuses"}
{"cve": [{"lastseen": "2020-10-03T11:34:52", "description": "comersus_backoffice_install10.asp in BackOffice Lite 6.0 and 6.01 allows remote attackers to bypass authentication and gain privileges via a direct request to the program.", "edition": 3, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-0301", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0301"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:comersus_open_technologies:comersus_backoffice_lite:6.0", "cpe:/a:comersus_open_technologies:comersus_backoffice_lite:6.1"], "id": "CVE-2005-0301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0301", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:comersus_open_technologies:comersus_backoffice_lite:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:comersus_open_technologies:comersus_backoffice_lite:6.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:08", "bulletinFamily": "software", "cvelist": ["CVE-2005-0301"], "edition": 1, "description": "## Vulnerability Description\nASP Shopping Cart contains a flaw that may allow a malicious user to gain unauthorized administrative rights. The issue is triggered when the comersus_backoffice_install10.asp file is accessed directly, which grants administrative rights without any validation. It is possible that the flaw may allow unauthorized administrative access resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 6.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nASP Shopping Cart contains a flaw that may allow a malicious user to gain unauthorized administrative rights. The issue is triggered when the comersus_backoffice_install10.asp file is accessed directly, which grants administrative rights without any validation. It is possible that the flaw may allow unauthorized administrative access resulting in a loss of integrity.\n## References:\nVendor URL: http://www.comersus.com/\n[Vendor Specific Advisory URL](http://www.comersus.org/forum/displayMessage.asp?mid=32753)\nSecurity Tracker: 1012989\n[Secunia Advisory ID:13964](https://secuniaresearch.flexerasoftware.com/advisories/13964/)\n[Related OSVDB ID: 13166](https://vulners.com/osvdb/OSVDB:13166)\n[Related OSVDB ID: 13167](https://vulners.com/osvdb/OSVDB:13167)\n[Related OSVDB ID: 13165](https://vulners.com/osvdb/OSVDB:13165)\n[Related OSVDB ID: 13168](https://vulners.com/osvdb/OSVDB:13168)\nPacket Storm: http://packetstormsecurity.org/0501-advisories/Comersus60.txt\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=110636597832556&w=2\n[CVE-2005-0301](https://vulners.com/cve/CVE-2005-0301)\n", "modified": "2005-01-21T06:58:43", "published": "2005-01-21T06:58:43", "href": "https://vulners.com/osvdb/OSVDB:13164", "id": "OSVDB:13164", "title": "Comersus ASP Shopping Cart comersus_backoffice_install10.asp Admin Authentication Bypass", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
