by r0t,der4444,cembo,VietMafia

Saturday, December 17, 2005

CONTENS "search.cfm" Multiple Input Validation Vuln.

CONTENS "search.cfm" Multiple Input Validation Vuln.

Vuln. discovered by : r0t
Date: 17 dec. 2005
vendor:http://www.contens.com
affected version:3.0 and prior

Product Description:

CONTENS Software GmbH provides Content Management Software (CMS) for companies with sophisticated online communication needs. Its line of products meets the demands of businesses from small online editors to international firms. A strong network of experienced partners conceives innovative and customized CONTENS solutions and implements them according to individual demands. With the help of the CONTENS platform-independent CMS products businesses can quickly realize and edit extensive online projects without any prior pro-gramming knowledge. Among the well-known businesses that use CONTENS Content Management products are Concordia Insurance Group, Credit Suisse, Davidoff, Discovery Channel, Eurocard, GlobeGround Servisair, Hapimag, HypoVereinsbank BKK, John Deere, Max-Planck, MVV Energie AG, Peri, ratiopharm, T-Mobile and Schwyzer Kantonalbank.

Vuln. Description:

1.XSS

CONTENS contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "near" paremter in "search.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

/search.cfm?uselang_en=1&intern=0&targetgroup
=pub&fuseaction_sea=results&advanced=1&criteria
=r0t&submit.x=33&submit.y=10&submit=Search&bool
=or&itemsperpage=10&near=[XSS]


2.Full Path and sensitive infomation view.
To view install path and other sensitive information use one of this examples below:

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=Sear
ch&bool=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=Sear
ch&bool=or&itemsperpage=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=[CODE]

/search.cfm?uselang_en=1&intern=[CODE]

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew