##############################################################################
#
#  CS-Cart Class.cs_phpmailer.PHP Remote File Include Vulnerability
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/06/07
#
#  $Revision: 1.1 $
#
#  $Log: os2a_cs-cart_file_inclusion_603011.nasl,v $
#  Revision 1.1  2006/06/09 12:38:32  ksjayesh
#  issue #2529
#  To Production
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(603011);
 script_bugtraq_id(18263);
 script_cve_id("CVE-2006-2863");
 script_copyright(english:"Copyright (C) 2006 OS2A");
 script_version("$Revision: 1.1 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_name(english:"CS-Cart Class.cs_phpmailer.PHP Remote File Include Vulnerability");
 script_summary(english:"Check for vulnerable version of CS-Cart");
 desc["english"] = "
 Overview : This host has CS-Cart installed, which is prone to file inclusion
 vulnerability.

 Vulnerability Insight : This issue is due to input validation error in the
 classes/phpmailer/class.cs_phpmailer.php script that fails to properly validate
 the classes_dir parameter.

 Exploitation requires register_globals to be enabled.

 Impact : Successful exploitation allows remote attackers to include malicious
 PHP files and execute arbitrary commands with the privileges fo the web
 server.

 Scope of impact is limited to system level.

 Affected Software : CS-Cart 1.3.3 and prior.

 Affected Platform : Any system running the affected software.

 Solution : No vendor supplied patch or update is available as of 07 June 2006.
 Information regarding this issue will be updated once the solution details are
 available.

 References : http://secunia.com/advisories/20440/
	      http://milw0rm.com/exploits/1872

 CVSS Score :
 	CVSS Base Score     : 5.6 (AV:R/AC:H/Au:NR/C:P/I:P/A:P/B:N)
    	CVSS Temporal Score : 5.0
 Risk factor : Medium";
 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}


 include("http_func.inc");
 include("http_keepalive.inc");

 port = get_http_port(default:80);
 if(!port){
	exit(0);
 }

 foreach dir (make_list("/cscart", cgi_dirs()))
 {
	sndreq = http_get(item:string(dir, "/index.php"), port:port);
        rcvres = http_keepalive_send_recv(port:port, data:sndreq, bodyonly:1);
        if(rcvres == NULL){
 		exit(0);
 	}

	if(egrep(pattern:"Powered by.*CS-Cart", string:rcvres))
	{
		sndreq = http_get(item:string(dir, "/CHANGELOG"), port:port);
		rcvres = http_keepalive_send_recv(port:port, data:sndreq, 
					          bodyonly:1);
		if(rcvres == NULL){
			exit(0);
		}

		CSCartVer = eregmatch(pattern:"Version [.0-9]+",
				      string:rcvres);
		if((CSCartVer != NULL) && CSCartVer[0])
		{
			if(ereg(pattern:
			     "Version (0\..*|1\.[0-2](\..*)?|1\.3(\.[0-3])?)$",
				string:CSCartVer[0])){
				security_warning(port);
			}
			exit(0);
		}
	}
 }