Vulnerabilities > CVE-2005-1822 - SQL Injection and Cross-Site Scripting vulnerability in Qualiteam X-Cart 4.0.8

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
qualiteam
nessus
exploit available

Summary

Multiple SQL injection vulnerabilities in Qualiteam X-Cart 4.0.8 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) printable parameter to home.php, (3) productid or (4) mode parameter to product.php, (5) id parameter to error_message.php, (6) section parameter to help.php, (7) mode parameter to orders.php, (8) mode parameter to register.php, (9) mode parameter to search.php, or the (10) gcid or (11) gcindex parameter to giftcert.php.

Vulnerable Configurations

Part Description Count
Application
Qualiteam
1

Exploit-Db

  • descriptionQualiteam X-Cart 4.0.8 home.php Multiple Parameter SQL Injection. CVE-2005-1822 . Webapps exploit for php platform
    idEDB-ID:25767
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25767/
    titleQualiteam X-Cart 4.0.8 home.php Multiple Parameter SQL Injection
  • descriptionQualiteam X-Cart 4.0.8 error_message.php id Parameter SQL Injection. CVE-2005-1822. Webapps exploit for php platform
    idEDB-ID:25769
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25769/
    titleQualiteam X-Cart 4.0.8 error_message.php id Parameter SQL Injection
  • descriptionQualiteam X-Cart 4.0.8 giftcert.php Multiple Parameter SQL Injection. CVE-2005-1822. Webapps exploit for php platform
    idEDB-ID:25774
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25774/
    titleQualiteam X-Cart 4.0.8 giftcert.php Multiple Parameter SQL Injection
  • descriptionQualiteam X-Cart 4.0.8 product.php Multiple Parameter SQL Injection. CVE-2005-1822 . Webapps exploit for php platform
    idEDB-ID:25768
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25768/
    titleQualiteam X-Cart 4.0.8 product.php Multiple Parameter SQL Injection
  • descriptionQualiteam X-Cart 4.0.8 orders.php mode Parameter SQL Injection. CVE-2005-1822 . Webapps exploit for php platform
    idEDB-ID:25771
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25771/
    titleQualiteam X-Cart 4.0.8 orders.php mode Parameter SQL Injection
  • descriptionQualiteam X-Cart 4.0.8 help.php section Parameter SQL Injection. CVE-2005-1822. Webapps exploit for php platform
    idEDB-ID:25770
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25770/
    titleQualiteam X-Cart 4.0.8 help.php section Parameter SQL Injection

Nessus

NASL familyCGI abuses
NASL idQUALITEAM_XCART_SQL_XSS.NASL
descriptionThe remote host is running X-Cart, a PHP-based shopping cart system. The version installed on the remote host suffers from numerous SQL injection and cross-site scripting vulnerabilities. Attackers can exploit the former to influence database queries, resulting possibly in a compromise of the affected application, disclosure of sensitive data, or even attacks against the underlying database. And exploitation of the cross-site scripting flaws can be used to steal cookie-based authentication credentials and perform similar attacks.
last seen2020-06-01
modified2020-06-02
plugin id18419
published2005-06-06
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18419
titleQualiteam X-Cart Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(18419);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2005-1822", "CVE-2005-1823");
  script_bugtraq_id(13817);

  script_name(english:"Qualiteam X-Cart Multiple Vulnerabilities");
  script_summary(english:"Checks for multiple vulnerabilities in X-Cart");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application affected by several
flaws." );
  script_set_attribute(attribute:"description", value:
"The remote host is running X-Cart, a PHP-based shopping cart system. 

The version installed on the remote host suffers from numerous SQL
injection and cross-site scripting vulnerabilities.  Attackers can
exploit the former to influence database queries, resulting possibly
in a compromise of the affected application, disclosure of sensitive
data, or even attacks against the underlying database.  And
exploitation of the cross-site scripting flaws can be used to steal
cookie-based authentication credentials and perform similar attacks." );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/401035/30/0/threaded" );
  script_set_attribute(attribute:"solution", value:"Unknown at this time." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/06");
  script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/30");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, php:TRUE);

init_cookiejar();
erase_http_cookie(name: "xid");

# For each CGI directory...
foreach dir (cgi_dirs())
{
  # Try to exploit one of the SQL flaws.
  r = http_send_recv3(method: "GET",
    item:string(dir, "/help.php?section='", SCRIPT_NAME),
    port:port,
    exit_on_fail:TRUE
  );

  # If ...
  if (
    # it looks like X-Cart and...
    ! isnull(get_http_cookie(name: "xid")) &&
    egrep(string: r[2], pattern:"^<!-- /?central space -->") &&
    # we get a syntax error.
    egrep(string: r[2], pattern:string("SELECT pageid FROM xcart_stats_pages WHERE page='/cart/help\.php\?section='", SCRIPT_NAME))
  )
  {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}