by r0t,der4444,cembo,VietMafia

Sunday, December 18, 2005

Mercury CMS™ vuln.

Mercury CMS™ vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://www.mercury-cms.com
affected version:4.0 and prior


Product Description:

Mercury CMS™ v4.0 is an extensible, modular, enterprise-level content management system at entry-level costs. The four Editions of the CMS - Lite, Professional, Portal and E-Commerce - provide complete set of functionality to satisfy the business needs of our clients. Mercury CMS™ allows non-technical personnel to manage and edit content using secure and easy to use, browser-based interfaces.
We designed the Mercury CMS™ v4.0 to provide maximum aesthetic flexibility by utilizing custom templates and multi-level styling. What makes this CMS unique are features like parallel editing, content granulation where pages are containers and content is organized in sections, snippets, modules; site is organized in areas (public, intranet, extranet, hidden); meta tags, styles, and repeating content are configured on multiple levels (global, area, page); and more.
Flexible extensibility provides secure integration with third party and custom applications.
The Architecture of Mercury CMS™ v4.0 allows for the inclusion of additional modules and technologies as you require them. There are more than 40 modules currently available for the system and this number constantly grows. We give you 17 of those modules for free to get you started fast and at very low cost.

Vuln. Description:

SQL.
Mercury CMS™ contains a flaw that allows a remote sql injection attacks.Input passed to the "page" parameter in "index.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


/index.cfm?page=[SQL]


XSS.
Mercury CMS™ contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "content" "criteria" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


/index.cfm?page=40&criteria
=&start=11&title=&content=[XSS]

/index.cfm?restricted=false&page=10&criteria=[XSS]



Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew