Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11981
HistoryMar 28, 2006 - 12:00 a.m.

couponZONE v.4.2 Multiple vuln.

2006-03-2800:00:00
vulners.com
16

couponZONE v.4.2 Multiple vuln.

###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.fusionzone.com/applications/coupons
affected versions:v.4.2 and prior
orginal advisory:http://pridels.blogspot.com/2006/03/couponzone-v42-multiple-vuln.html
###############################################

Vuln. Description:

  1. SQL vuln.

couponZONE contains a flaw that allows a remote sql injection
attacks.Input passed to the "companyid","scat","coid" parameters in
"local.cfm" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code

examples:

/local.cfm?redir=listings&srchby=&companyid=[SQL]
/local.cfm?redir=listings&srchby=ct&cat=&scat=[SQL]
/local.cfm?redir=adv_details&coid=[SQL]

  1. XSS vuln.

couponZONE contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to "srchfor" and
"srchby" paremter in "local.cfm" isn't properly sanitised before being
returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to a loss of
integrity.

examples:

/local.cfm?srchfor=%3Cscript%3Ealert%28%27r0t%27%29%3
C%2Fscript%3E&cat=0&x=95&y=13&RequestTimeOut=500&redi
r=listings&srchby=fr&scat=0

/local.cfm?srchfor=&cat=0&x=78&y=22&RequestTimeOut=50
0&redir=listings&srchby=%22%3Cscript%3Ealert('r0t')%3
C/script%3E

Attacker while testing for sql attacks , with errors will get full
install. path and other sensitive/usefull* inforamtion.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/