by r0t,der4444,cembo,VietMafia

Saturday, December 17, 2005

Community Enterprise 4.x Multiple vuln.

Community Enterprise 4.x Multiple vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.citysoft.com/
affected version: 4.x and prior

Product Description:

CitySoft's Community Enterprise software platform provide an easy-to-use, flexible CMS module that integrates with a wide variety of built-in applications such as document management, event management, and contact management. Non-technical users can easily create and manage pages and other content online.

Vuln. Description:

1.) SQL inj.
Community Enterprise contains a flaw that allows a remote sql injection attacks.Input passed to the "nodeID" "pageID" "ID" "parentid" "documentFormatId" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2.) XSS
Community Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "presentationSite" "docPublishYear" "docDescription" "publishState" "docAuthor" "docTitle" "subTopic" "topic" "topicRadio" "topicOnly" "startrow" "sortby" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

3.) Full path
With errors from previous vuln. attacker can get full install path and other senstive information and does not verify user input supplied to the "documentid" "fuseaction" paremter. A malicious person can exploit this to gain knowledge of the full path to the installation directory by sending a HTTP request including invalid input to those paremters.

examples:

/index.cfm?fuseaction=page.viewPage&pageID=
1&nodeID=1[SQL]

/index.cfm?fuseaction=page.viewPage&pageID
=1[SQL]

/index.cfm?fuseaction=Document.showDocumentS
ection&sortby=PublishDate&startrow=8&topicOn
ly=&topicRadio=&topic=&subTopic=&docTitle=&d
ocAuthor=&publishState=&docDescription=&docP
ublishYear=&presentationSite=&parentid=16&I
D=1[SQL]

/index.cfm?fuseaction=Document.showDocumentS
ection&sortby=PublishDate&startrow=8&topicO
nly=&topicRadio=&topic=&subTopic=&docTitle=&
docAuthor=&publishState=&docDescription=&doc
PublishYear=&presentationSite=&parentid=[SQL]

/document/docWindow.cfm?fuseaction=document.v
iewDocument&documentid=1&documentFormatId=[SQL]


XSS examples

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishD
ate&startrow=8&topicOnly=&topicRadio=&topic=
&subTopic=&docTitle=&docAuthor=&publishState
=&docDescription=&docPublishYear=&presentati
onSite=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&s
ubTopic=&docTitle=&docAuthor=&publishState=&d
ocDescription=&docPublishYear=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&s
ubTopic=&docTitle=&docAuthor=&publishState=&d
ocDescription=[XSS]

/index.cfm?fuseaction=Document.showDocumentSe
ction&sortby=PublishDate&startrow=8&topicOnly
=&topicRadio=&topic=&subTopic=&docTitle=&docAu
thor=&publishState=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishD
ate&startrow=8&topicOnly=&topicRadio=&topic=
&subTopic=&docTitle=&docAuthor=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&s
ubTopic=&docTitle=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=&
subTopic=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=&topic=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=&topicRadio=[XSS]

/index.cfm?fuseaction=
Document.showDocumentSection&sortby=PublishDa
te&startrow=8&topicOnly=[XSS]

/index.cfm?fuseaction=Document.showDocumentSe
ction&sortby=PublishDate&startrow=[XSS]

/index.cfm?fuseaction=Document.showDocumentSect
ion&sortby=[XSS]

Full path example:

/index.cfm?fuseaction=r0t

/document/docWindow.cfm?fuseaction=docume
nt.viewDocument&documentid=r0t

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew