CF_Nuke v4.6 Multiple vuln.

2005-12-06T00:00:00
ID SECURITYVULNS:DOC:10549
Type securityvulns
Reporter Securityvulns
Modified 2005-12-06T00:00:00

Description

CF_Nuke v4.6 Multiple vuln.

Vuln. dicovered by : r0t Date: 6 dec. 2005 orginal advisory:http://pridels.blogspot.com/2005/12/cfnuke-v46-multiple-vuln.html vendor:http://www.mycfnuke.com/ affected version:v4.6 and prior

Product Description:

CF_Nuke is a free easy-to-setup & easy-to-use open source ColdFusion, community style web application. Offering greater control over web site maintenance, and increased performance over previous versions, CF_Nuke 4.6 is coming into it's own as a stand-alone web portal similar to phpNuke. Core Features - Links, News and Reviews, Favorite Quotations - Private Message System for Members - Downloads - Themes - Recommend to Friend - Site FAQ System - Keyword and Category search - Member Registration - Users can submit News, Reviews, Quotations & Links for approval - extensive Admin capabilities. Additional Modules (Forums. Photo Gallary, Shoutbox, RSS, Calendar, Who's Online, NewLetters, etc....) are being made available by our Awesome members.

Vuln. Description:

  1. Local file include CF_Nuke contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.cfm not properly sanitizing user input supplied to the 'sector' and "page" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

  2. SQL inj. vuln. CF_Nuke contains a flaw that allows a remote sql injection attacks.Input passed to the "newsid" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

  3. XSS CF_Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "cat" "topic" "newsid" paremter in isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples: /index.cfm?sector=../local file

/index.cfm?sector=quotes&page=../local file

/index.cfm?sector=news&page=read&newsid=[SQL]

/index.cfm?sector=news&page=topic&topic= %22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?sector=links&page=links&cmd=view &cat=%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

/index.cfm?sector=news&page=read&newsid= %22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

Solution: Look for more secure alternative.:)