Vulnerabilities > CVE-2005-1823 - SQL Injection and Cross-Site Scripting vulnerability in Qualiteam X-Cart 4.0.8

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
qualiteam
nessus
exploit available
NVD
Published: 2005-06-01
Updated: 2017-07-11

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Qualiteam X-Cart 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) cat or (2) printable parameter to home.php, (3) productid or (4) mode parameter to product.php, (5) id parameter to error_message.php, (6) section parameter to help.php, (7) mode parameter to orders.php, (8) mode parameter to register.php, (9) mode parameter to search.php, or the (10) gcid or (11) gcindex parameter to giftcert.php.

Vulnerable Configurations

Part Description Count
Application
Qualiteam
1

Exploit-Db

  • descriptionQualiteam X-Cart 4.0.8 product.php Multiple Parameter XSS. CVE-2005-1823. Webapps exploit for php platform
    idEDB-ID:25760
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25760/
    titleQualiteam X-Cart 4.0.8 product.php Multiple Parameter XSS
  • descriptionQualiteam X-Cart 4.0.8 orders.php mode Parameter XSS. CVE-2005-1823. Webapps exploit for php platform
    idEDB-ID:25763
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25763/
    titleQualiteam X-Cart 4.0.8 orders.php mode Parameter XSS
  • descriptionQualiteam X-Cart 4.0.8 giftcert.php Multiple Parameter XSS. CVE-2005-1823. Webapps exploit for php platform
    idEDB-ID:25766
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25766/
    titleQualiteam X-Cart 4.0.8 giftcert.php Multiple Parameter XSS
  • descriptionQualiteam X-Cart 4.0.8 error_message.php id Parameter XSS. CVE-2005-1823. Webapps exploit for php platform
    idEDB-ID:25761
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25761/
    titleQualiteam X-Cart 4.0.8 error_message.php id Parameter XSS
  • descriptionQualiteam X-Cart 4.0.8 help.php section Parameter XSS. CVE-2005-1823. Webapps exploit for php platform
    idEDB-ID:25762
    last seen2016-02-03
    modified2005-05-30
    published2005-05-30
    reporterCENSORED Search Vulnerabilities
    sourcehttps://www.exploit-db.com/download/25762/
    titleQualiteam X-Cart 4.0.8 help.php section Parameter XSS

Nessus

NASL familyCGI abuses
NASL idQUALITEAM_XCART_SQL_XSS.NASL
descriptionThe remote host is running X-Cart, a PHP-based shopping cart system. The version installed on the remote host suffers from numerous SQL injection and cross-site scripting vulnerabilities. Attackers can exploit the former to influence database queries, resulting possibly in a compromise of the affected application, disclosure of sensitive data, or even attacks against the underlying database. And exploitation of the cross-site scripting flaws can be used to steal cookie-based authentication credentials and perform similar attacks.
last seen2020-06-01
modified2020-06-02
plugin id18419
published2005-06-06
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18419
titleQualiteam X-Cart Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(18419);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2005-1822", "CVE-2005-1823");
  script_bugtraq_id(13817);

  script_name(english:"Qualiteam X-Cart Multiple Vulnerabilities");
  script_summary(english:"Checks for multiple vulnerabilities in X-Cart");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application affected by several
flaws." );
  script_set_attribute(attribute:"description", value:
"The remote host is running X-Cart, a PHP-based shopping cart system. 

The version installed on the remote host suffers from numerous SQL
injection and cross-site scripting vulnerabilities.  Attackers can
exploit the former to influence database queries, resulting possibly
in a compromise of the affected application, disclosure of sensitive
data, or even attacks against the underlying database.  And
exploitation of the cross-site scripting flaws can be used to steal
cookie-based authentication credentials and perform similar attacks." );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/401035/30/0/threaded" );
  script_set_attribute(attribute:"solution", value:"Unknown at this time." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/06");
  script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/30");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, php:TRUE);

init_cookiejar();
erase_http_cookie(name: "xid");

# For each CGI directory...
foreach dir (cgi_dirs())
{
  # Try to exploit one of the SQL flaws.
  r = http_send_recv3(method: "GET",
    item:string(dir, "/help.php?section='", SCRIPT_NAME),
    port:port,
    exit_on_fail:TRUE
  );

  # If ...
  if (
    # it looks like X-Cart and...
    ! isnull(get_http_cookie(name: "xid")) &&
    egrep(string: r[2], pattern:"^<!-- /?central space -->") &&
    # we get a syntax error.
    egrep(string: r[2], pattern:string("SELECT pageid FROM xcart_stats_pages WHERE page='/cart/help\.php\?section='", SCRIPT_NAME))
  )
  {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}

References