Security Advisory: CONTENS "search.cfm" Multiple Input Validation Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)
  exploit (html) for Advanced Guestbook 2.2
  phpCOIN-1.2.2-Full-
2005 SQL Injection
  Webglimpse XSS vuln.
  iHTML Merchant Version 2 Pro sql inj.

From: r0t <krustevs_(at)_googlemail.com>
Date: 17.12.2005
Subject: CONTENS "search.cfm" Multiple Input Validation Vulnerabilities

CONTENS "search.cfm" Multiple Input Validation Vulnerabilities

Vuln. discovered by : r0t
Date: 17 dec. 2005
orginal advisory:
http://pridels.blogspot.com/2005/12/contens-searchcfm-multiple-input.html
vendor:http://www.contens.com
affected version:3.0 and prior

Product Description:

CONTENS Software GmbH provides Content Management Software (CMS) for
companies with sophisticated online communication needs. Its line of
products meets the demands of businesses from small online editors to
international firms. A strong network of experienced partners
conceives innovative and customized CONTENS solutions and implements
them according to individual demands. With the help of the CONTENS
platform-independent CMS products businesses can quickly realize and
edit extensive online projects without any prior pro-gramming
knowledge. Among the well-known businesses that use CONTENS Content
Management products are Concordia Insurance Group, Credit Suisse,
Davidoff, Discovery Channel, Eurocard, GlobeGround Servisair, Hapimag,
HypoVereinsbank BKK, John Deere, Max-Planck, MVV Energie AG, Peri,
ratiopharm, T-Mobile and Schwyzer Kantonalbank.

Vuln. Description:

1.XSS

CONTENS contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to "near" paremter in
"search.cfm" isn't properly sanitised before being returned to the
user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to a loss of
integrity.

/search.cfm?uselang_en=1&intern=0&targetgroup
=pub&fuseaction_sea=results&advanced=1&criteria
=r0t&submit.x=33&submit.y=10&submit=Search&bool
=or&itemsperpage=10&near=[XSS]

2.Full Path and sensitive infomation view.
To view install path and other sensitive informationuse one of this
examples below:

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=Sear
ch&bool=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=Sear
ch&bool=or&itemsperpage=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=33&submit.y=10&submit=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=r0t&su
bmit.x=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=1&criteria=[CODE]

/search.cfm?uselang_en=1&intern=0
&targetgroup=pub&fuseaction_sea=r
esults&advanced=[CODE]

/search.cfm?uselang_en=1&intern=[
CODE]

Solution:
Edit the source code to ensure that input is properly sanitised.