Zen Cart products_id[] Array SQL Injection

medium Nessus Plugin ID 34108

Synopsis

The remote web server contains a PHP application that is prone to a SQL injection attack.

Description

The installed version of Zen Cart does not validate user-supplied input to the 'products_id[]' parameter array of the 'index.php' script when 'action' is set to 'multiple_products_add_product' before using the keys in a database query in the 'in_cart_mixed()' function in 'includes/classes/shopping_cart.php'. Provided PHP's 'magic_quotes_gpc' setting is off, an unauthenticated, remote attacker can leverage this issue to manipulate SQL queries and, for example, uncover sensitive information from the application's database or possibly execute arbitrary PHP code.

Note that there are also reportedly other SQL injection issues in this version of Zen Cart, although Nessus has not tested for them explicitly.

Solution

Patch 'includes/classes/shopping_cart.php' as described in the vendor advisory.

See Also

http://www.nessus.org/u?de36ae73

https://www.securityfocus.com/archive/1/496032

https://www.zen-cart.com/showthread.php?106701-Security-Alert-SQL-Injection-Risk-Aug-31&p=604473#post604473

Plugin Details

Severity: Medium

ID: 34108

File Name: zencart_productsid_sql_injection.nasl

Version: 1.22

Type: remote

Family: CGI abuses

Published: 9/8/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:zen-cart:zen_cart

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2008-6986

BID: 31023

CWE: 89