Community Enterprise 4.x Multiple vuln.

2005-12-17T00:00:00
ID SECURITYVULNS:DOC:10682
Type securityvulns
Reporter Securityvulns
Modified 2005-12-17T00:00:00

Description

Community Enterprise 4.x Multiple vuln.

Vuln. discovered by : r0t Date: 17 dec. 2005 orginal advisory:http://pridels.blogspot.com/2005/12/community-enterprise-4x-multiple-vuln.html vendor:http://www.citysoft.com/ affected version: 4.x and prior

Product Description:

CitySoft's Community Enterprise software platform provide an easy-to-use, flexible CMS module that integrates with a wide variety of built-in applications such as document management, event management, and contact management. Non-technical users can easily create and manage pages and other content online.

1.) SQL inj. Community Enterprise contains a flaw that allows a remote sql injection attacks.Input passed to the "nodeID" "pageID" "ID" "parentid" "documentFormatId" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2.) XSS Community Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "presentationSite" "docPublishYear" "docDescription" "publishState" "docAuthor" "docTitle" "subTopic" "topic" "topicRadio" "topicOnly" "startrow" "sortby" paremters isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

3.) Full path With errors from previous vuln. attacker can get full install path and other senstive information and does not verify user input supplied to the "documentid" "fuseaction" paremter. A malicious person can exploit this to gain knowledge of the full path to the installation directory by sending a HTTP request including invalid input to those paremters.

Vuln. Description:

/index.cfm?fuseaction=page.viewPage&pageID= 1&nodeID=1[SQL]

/index.cfm?fuseaction=page.viewPage&pageID =1[SQL]

/index.cfm?fuseaction=Document.showDocumentS ection&sortby=PublishDate&startrow=8&topicOn ly=&topicRadio=&topic=&subTopic=&docTitle=&d ocAuthor=&publishState=&docDescription=&docP ublishYear=&presentationSite=&parentid=16&I D=1[SQL]

/index.cfm?fuseaction=Document.showDocumentS ection&sortby=PublishDate&startrow=8&topicO nly=&topicRadio=&topic=&subTopic=&docTitle=& docAuthor=&publishState=&docDescription=&doc PublishYear=&presentationSite=&parentid=[SQL]

/document/docWindow.cfm?fuseaction=document.v iewDocument&documentid=1&documentFormatId=[SQL]

XSS examples

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishD ate&startrow=8&topicOnly=&topicRadio=&topic= &subTopic=&docTitle=&docAuthor=&publishState =&docDescription=&docPublishYear=&presentati onSite=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishDa te&startrow=8&topicOnly=&topicRadio=&topic=&s ubTopic=&docTitle=&docAuthor=&publishState=&d ocDescription=&docPublishYear=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishDa te&startrow=8&topicOnly=&topicRadio=&topic=&s ubTopic=&docTitle=&docAuthor=&publishState=&d ocDescription=[XSS]

/index.cfm?fuseaction=Document.showDocumentSe ction&sortby=PublishDate&startrow=8&topicOnly =&topicRadio=&topic=&subTopic=&docTitle=&docAu thor=&publishState=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishD ate&startrow=8&topicOnly=&topicRadio=&topic= &subTopic=&docTitle=&docAuthor=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishDa te&startrow=8&topicOnly=&topicRadio=&topic=&s ubTopic=&docTitle=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishDa te&startrow=8&topicOnly=&topicRadio=&topic=& subTopic=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishDa te&startrow=8&topicOnly=&topicRadio=&topic=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishDa te&startrow=8&topicOnly=&topicRadio=[XSS]

/index.cfm?fuseaction= Document.showDocumentSection&sortby=PublishDa te&startrow=8&topicOnly=[XSS]

/index.cfm?fuseaction=Document.showDocumentSe ction&sortby=PublishDate&startrow=[XSS]

/index.cfm?fuseaction=Document.showDocumentSect ion&sortby=[XSS]

Full path example:

/index.cfm?fuseaction=r0t

/document/docWindow.cfm?fuseaction=docume nt.viewDocument&documentid=r0t

Solution: Edit the source code to ensure that input is properly sanitised.