Detections
Analytics

Spreecommerce api/orders.json Search Function Arbitrary Command Execution

high Nessus Plugin ID 53633

Language:

Synopsis

The remote web server hosts a web application that allows arbitrary command execution.

Description

The remote web server hosts Spree, an open source e-commerce application for Ruby on Rails.

The version of this application installed on the remote host has a flaw in the third-party 'rd_searchlogic' Ruby gem. An unauthenticated, remote attacker can inject arbitrary Ruby code via the 'search[instance_eval]' parameter of the 'api/orders.json' script to be executed on the remote host subject to the privileges under which the web server operates.

Solution

Upgrade to Spree version 0.50.x or later.

See Also

http://www.spreecommerce.com/blog/2011/04/19/security-fixes

Plugin Details

Severity: High

ID: 53633

File Name: spree_search_cmd_exec.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 5/3/2011

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 4/19/2011

Vulnerability Publication Date: 4/19/2011

Exploitable With

Metasploit (Spreecommerce Arbitrary Command Execution)

Reference Information

BID: 47543