by r0t,der4444,cembo,VietMafia

Tuesday, April 25, 2006

Cartweaver ColdFusion vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 april 2006
vendorlink:www.cartweaver.com
affected versions:2.16.11 and previous
###############################################


Vuln. Description:


1. SQL Injection vuln.

Cartweaver ColdFusion contains a flaw that allows a remote sql injection attacks.Input passed to the "category","keywords" parameter in "Results.cfm" isn't properly sanitised before being used in a SQL query and Input passed to the "ProdID" parameter in "Details.cfm" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/Results.cfm?category=[SQL]
/Results.cfm?keywords=[SQL]
/Details.cfm?ProdID=[SQL]




2. Full Path Disclosure.

The problem is that it is possible to disclose the full path to the installation by supplying an invalid "secondary","PageNum_Results","category","keywords" parameter in "Results.cfm" and "ProdID" parameter in "Details.cfm" .

examples:

/Results.cfm?PageNum_Results=&category=&secondary=[CODE]
/Results.cfm?PageNum_Results=[CODE]
/Details.cfm?ProdID=[CODE]
/Results.cfm?category=[CODE]
/Results.cfm?keywords=[CODE]
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

1 Comments:

Anonymous Anonymous told...

For immediate release - April 28, 2006

- Cartweaver 2.17.11 update released -

This free incremental update is released to address a potential issue with erroneous values assed to a query in a URL variable. Cartweaver 2 CF has always used Custom Error handling to present benign error messages to the user should erroneous query string data be passed to a CFQuery. However, there is the potential of a developer/user disabling the custom error feature in order to see the complete CF Error information during the development and set up of a Cartweaver based site, and then mistakenly publishing the site to the live server with Enable Error Handling still disabled.

Due to ColdFusion’s elegant method of handling query string data, no real threat was present to the data stored in the database and due to the fact that Cartweaver does not store sensitive credit data, there was no chance of any customer financial data being compromised. However the error messages presented by ColdFusion in this sort of a query failure could reveal application data that may not be intended to be visible to the public – such as database table and field names. This update to Cartweaver corrects this issue by scrubbing the erroneous or mis-formatted query string values and presenting the user with either valid search results or a “no product found” style message for product details.

To avoid the potential of problems with erroneous or malicious query strings we recommend Cartweaver users apply this update to their sites. If an update is not possible we encourage users to make sure that the default Error Handling is turned on.

This update release is part of our on-going efforts to make Cartweaver the best choice in ecommerce solutions.

If you have any questions, please fill out our contact form at: http://www.cartweaver.com/contact/

Thank you.
Cartweaver Development Team.
www.cartweaver.com

12:18 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew