[VIM] Combined Zen Cart issues

security curmudgeon jericho at attrition.org
Mon Aug 22 06:13:09 EDT 2005 

On Wed, 3 Aug 2005, Steven M. Christey wrote:
   ^^^^^^^^^^^^^^^

jeez i'm behind =)

: While I was training a new person yesterday, I ran across some incorrect 
: references to vendor patches for 3 separate vulns in Zen Cart.  It 
: appears that there are 3 distinct issues, at least from CVE's 
: perspective.
: 
: Some DB's, at least Secunia and OSVDB, have included references to the 
: wrong vendor fix, and/or appear to have mixed two issues together.

: ======================================================
: Candidate: CAN-2004-2023
: URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2023
: 
: SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 
: before patch 1, and possibly other versions allows remote attackers to 
: execute arbitrary SQL via the (1) admin_name or (2) admin_pass 
: parameters.

hrm. i don't see this in our DB at all and we didn't even have the CVE in 
the incoming pool. will have to add this shortly.

: ======================================================
: Candidate: CAN-2004-2024
: URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2024
: Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=4873
: Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD
: 
: The distribution of Zen Cart 1.1.4 before patch 2 includes certain 
: debugging code in the Admin password retrieval functionality, which 
: allows attackers to gain administrative privileges via 
: password_forgotten.php.

exactly the refs we have and a title that doesn't mention 2 issues, but it 
isn't mangled yet.

: ======================================================
: Candidate: CAN-2004-2025
: URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2025
: Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731
: Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD
: 
: SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 
: before patch 2 may allow remote attackers to execute arbitrary SQL 
: commands via the products_id parameter.

had this as the SQL injection, had 2 of the refs, missed the '3731' post.

can you specify where we mixed up issues or included the wrong solution?

http://osvdb.org/16892 = CVE 2004-2025 = stable
http://osvdb.org/16891 = CVE 2004-2024 = new but has the same refs as CVE

.b

More information about the VIM mailing list