Ecommerce Corp. Online Store Kit 3.0 Multiple Vulnerabilities

high Nessus Plugin ID 12062

Language:

Synopsis

A web application running on the remote host has a SQL injection vulnerability.

Description

The remote host is running Ecommerce Corporation Online Store Kit, a web-based e-commerce CGI suite.

There is a SQL injection vulnerability in the 'id' parameter of 'more.php'. This could allow a remote attacker to execute arbitrary SQL commands, which could be used to take control of the database.
Additional vulnerabilities have been reported in various scripts, though Nessus has not tested for them.

Solution

Upgrade to the latest version of this software.

Plugin Details

Severity: High

ID: 12062

File Name: ecommerce_corp_sql_injection.nasl

Version: 1.23

Type: remote

Family: CGI abuses

Published: 2/17/2004

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2/17/2004

Reference Information

CVE: CVE-2004-0300, CVE-2004-0301

BID: 9676, 9687

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990