by r0t,der4444,cembo,VietMafia

Tuesday, March 28, 2006

couponZONE v.4.2 Multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.fusionzone.com/applications/coupons
affected versions:v.4.2 and prior
###############################################


Vuln. Description:
1.
couponZONE contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the local.cfm script not properly sanitizing user-supplied input to the 'companyid', 'scat' or 'coid' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Additionally, if a failed query is performed, the program will disclose the softwares installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

examples:

/local.cfm?redir=listings&srchby=&companyid=[SQL]
/local.cfm?redir=listings&srchby=ct&cat=&scat=[SQL]
/local.cfm?redir=adv_details&coid=[SQL]


2.
couponZONE contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "srchfor" and "srchby" paremter in "local.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/local.cfm?srchfor=%3Cscript%3Ealert%28%27r0t%27%29%3
C%2Fscript%3E&cat=0&x=95&y=13&RequestTimeOut=500&redi
r=listings&srchby=fr&scat=0

/local.cfm?srchfor=&cat=0&x=78&y=22&RequestTimeOut=50
0&redir=listings&srchby=%22%3Cscript%3Ealert('r0t')%3
C/script%3E



###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

1 Comments:

Anonymous Anonymous told...

All incoming variables in couponZONE are checked with a CFQUERYPARAM tag.

Macromedia recommends that you use the cfqueryparam tag within every cfquery tag, to help secure your databases from unauthorized users.

Read More about this at: http://www.macromedia.com/devnet/security/security_zone/asb99-04.html

3:26 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew