HTTP: SpiderSales Shopping Cart Code Injection
This signature detects attempts to exploit a known vulnerability in SpiderSales Shopping Cart Web application, which does not correctly sanitize inputs for userid. Attackers can remotely execute malicious commands on the server.
Extended Description
Multiple vulnerabilities have been identified in the application that may allow an attacker to obtain the private cryptographic key and gain access to sensitive information. The application is also reported prone to an SQL injection vulnerability that may allow an attacker to gain administrative level access to the underlying database. The issues exist due to improper implementation of the RSA cryptosystem by SpiderSales and failure to sanitize user-supplied input via the 'userId' URI parameter employed by various scripts. SpiderSales version 2.0 is assumed to be vulnerable to these issues, however, other versions could be affected as well.
Affected Products
Spidersales spidersales
Short Name
HTTP:CGI:SPIDERSALES
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
CVE-2004-0348 Cart Code Injection Shopping SpiderSales bid:9799
Release Date
01/29/2005
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Spidersales
CVSS Score
10.0