Related information

Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)

Horde IMP Webmail Client XSS all versions

Magic Forum Personal SQL&XSS vuln.

Blog System v1.2 Multiple SQL Injection Vulnerabilities

Magic List pro 2.5 SQL inj. vuln.

From:	r0t <krustevs_(at)_googlemail.com>
Date:	06.12.2005
Subject:	CF_Nuke v4.6 Multiple vuln.

CF_Nuke v4.6 Multiple vuln.

Vuln. dicovered by : r0t
Date: 6 dec. 2005
orginal advisory:http://pridels.blogspot.com/2005/12/cfnuke-v46-multiple-vuln.html
vendor:http://www.mycfnuke.com/
affected version:v4.6 and prior

Product Description:

CF_Nuke is a free easy-to-setup & easy-to-use open source ColdFusion, community style web application. Offering greater control over web site maintenance, and increased performance over previous versions, CF_Nuke 4.6 is coming into it's own as a stand-alone web portal similar to phpNuke.
Core Features - Links, News and Reviews, Favorite Quotations - Private Message System for Members - Downloads - Themes - Recommend to Friend - Site FAQ System - Keyword and Category search - Member Registration - Users can submit News, Reviews, Quotations & Links for approval - extensive Admin capabilities. Additional Modules (Forums. Photo Gallary, Shoutbox, RSS, Calendar, Who's Online, NewLetters, etc....) are being made available by our Awesome members.




Vuln. Description:


1. Local file include
CF_Nuke contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.cfm not properly sanitizing user input supplied to the 'sector' and "page" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

2. SQL inj. vuln.
CF_Nuke contains a flaw that allows a remote sql injection attacks.Input passed to the "newsid" parameter  isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

3. XSS
CF_Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "cat" "topic" "newsid" paremter in  isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.



examples:
/index.cfm?sector=../local file

/index.cfm?sector=quotes&page=../local file

/index.cfm?sector=news&page=read&newsid=[SQL]

/index.cfm?sector=news&page=topic&topic=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%
3E

/index.cfm?sector=links&page=links&cmd=view
&cat=%22%3E%3Cscript%3Ealert('r0t')%3C/sc
ript%3E

/index.cfm?sector=news&page=read&newsid=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%
3E

Solution:
Look for more secure alternative.:)