Vulnerabilities > CVE-2005-1593 - Unspecified vulnerability in Codethat Shoppingcart 1.3.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
codethat
nessus
exploit available
NVD
Published: 2005-05-16
Updated: 2024-11-20

Summary

Cross-site scripting (XSS) vulnerability in catalog.php for CodeThat ShoppingCart 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.

Vulnerable Configurations

Part Description Count
Application
Codethat
1

Exploit-Db

descriptionCodeThatShoppingCart 1.3.1 catalog.php id Parameter XSS. CVE-2005-1593. Webapps exploit for php platform
idEDB-ID:25637
last seen2016-02-03
modified2005-05-09
published2005-05-09
reporterLostmon
sourcehttps://www.exploit-db.com/download/25637/
titleCodeThatShoppingCart 1.3.1 catalog.php id Parameter XSS

Nessus

NASL familyCGI abuses
NASL idCODETHATSHOPPINGCART_SQL.NASL
descriptionThe remote host is running the CodeThat.com ShoppingCart, a shopping cart program written in PHP. The remote version of this software fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id18255
published2005-05-14
reporterCopyright (C) 2005-2018 Josh Zlatin-Amishav
sourcehttps://www.tenable.com/plugins/nessus/18255
titleCodeThatShoppingCart Multiple Remote Vulnerabilities (SQLi, XSS, ID)
code
#
# This script was written by Josh Zlatin-Amishav <josh at tkos dot co dot il>
#
# This script is released under the GNU GPLv2
#


include("compat.inc");

if(description)
{
 script_id(18255);
 script_version ("1.20");

 script_cve_id("CVE-2005-1593", "CVE-2005-1594", "CVE-2005-1595");
 script_bugtraq_id(13560);

 script_name(english:"CodeThatShoppingCart Multiple Remote Vulnerabilities (SQLi, XSS, ID)");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running the CodeThat.com ShoppingCart, a shopping
cart program written in PHP. 

The remote version of this software fails to sanitize input to the
'id' parameter of the 'catalog.php' script before using it in a
database query.  An unauthenticated, remote attacker could leverage
this issue to launch SQL injection as well as cross-site scripting
attacks against the affected software and associated database 
application." );
 script_set_attribute(attribute:"see_also", value:"http://lostmon.blogspot.com/2005/05/codethat-shoppingcart-critical.html" );
 script_set_attribute(attribute:"solution", value:
"There is no known solution at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/09");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


 summary["english"] = "Checks for a SQL injection in CodeThatShoppingCart";

 script_summary(english:summary["english"]);

 script_family(english:"CGI abuses");
 script_category(ACT_GATHER_INFO);

 script_copyright(english:"Copyright (C) 2005-2020 Josh Zlatin-Amishav");

 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

global_var port;

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);

function check(url)
{
 local_var req, res;

 req = http_get(item:url +"/catalog.php?action=category_show&id='", port:port);
 res = http_keepalive_send_recv(port:port, data:req);
 if ( res == NULL ) exit(0);
 if ( "select id from products P, category_products CP where P.id=CP.product_id and CP.category_id=" >< res )
 {
        security_hole(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
        exit(0);
 }
}

foreach dir ( cgi_dirs() )
{
  check(url:dir);
}

References