Vulnerabilities > CVE-2004-1806 - SQL Injection vulnerability in Dogpatch Software Cfwebstore 5.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
dogpatch-software
nessus

Summary

SQL injection vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to execute SQL commands via the (1) category_id, (2) product_id, or (3) feature_id parameters.

Vulnerable Configurations

Part Description Count
Application
Dogpatch_Software
1

Nessus

NASL familyCGI abuses
NASL idCFWEBSTORE_SQL_INJECTION.NASL
descriptionThe remote host is running cfWebStore 5.0.0 or older. There is a flaw in this software that could allow a remote attacker to execute arbitrary SQL statements in the remote database that could in turn be used to gain administrative access on the remote host, read, or modify the content of the remote database. Additionally, cfWebStore is reportedly vulnerable to a cross-site scripting issue. However, Nessus has not tested for this.
last seen2020-06-01
modified2020-06-02
plugin id12096
published2004-03-14
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12096
titlecfWebStore Multiple Vulnerabilities (SQLi, XSS)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if(description)
{
 script_id(12096);
 script_cve_id("CVE-2004-1806");
 script_bugtraq_id(9854, 9856);
 script_xref(name:"Secunia", value:"11112");
 
 script_version("1.23");
 script_name(english:"cfWebStore Multiple Vulnerabilities (SQLi, XSS)");
 script_summary(english:"SQL Injection");
 
 script_set_attribute( attribute:"synopsis", value:
"The web application running on the remote host has multiple
vulnerabilities." );
 script_set_attribute( attribute:"description",  value:
"The remote host is running cfWebStore 5.0.0 or older.

There is a flaw in this software that could allow a remote attacker to
execute arbitrary SQL statements in the remote database that could in
turn be used to gain administrative access on the remote host, read,
or modify the content of the remote database.

Additionally, cfWebStore is reportedly vulnerable to a cross-site
scripting issue. However, Nessus has not tested for this." );
 script_set_attribute(
   attribute:"see_also",
   value:"https://seclists.org/bugtraq/2004/Mar/120"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Upgrade to cfWebStore version 5.0.1 or later."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/03/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/03/12");
 script_cvs_date("Date: 2018/11/15 20:50:16");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

# Check starts here

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

function check(dir)
{
  local_var buf, url;
  url = string(dir, "/index.cfm?fuseaction=category.display&category_ID='"); 
  buf = http_send_recv3(method:"GET", item:url, port:port);
  if(isnull(buf))exit(0);
  if ("cfquery name=&quot;request.QRY_GET_CAT&quot;" >< buf )
  	{
	security_hole(port);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
	exit(0);
	}
 return(0);
}

foreach dir ( cgi_dirs() )
{
 check(dir:dir);
}