couponZONE v.4.2 Multiple vuln.
###############################################
Vuln. discovered by : r0t
Date: 28 march 2006
vendor:http://www.fusionzone.com/applications/coupons
affected versions:v.4.2 and prior
orginal advisory:http://pridels.blogspot.com/2006/03/couponzone-v42-multiple-vuln.html
###############################################
Vuln. Description:
couponZONE contains a flaw that allows a remote sql injection
attacks.Input passed to the "companyid","scat","coid" parameters in
"local.cfm" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code
examples:
/local.cfm?redir=listings&srchby=&companyid=[SQL]
/local.cfm?redir=listings&srchby=ct&cat=&scat=[SQL]
/local.cfm?redir=adv_details&coid=[SQL]
couponZONE contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to "srchfor" and
"srchby" paremter in "local.cfm" isn't properly sanitised before being
returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to a loss of
integrity.
examples:
/local.cfm?srchfor=%3Cscript%3Ealert%28%27r0t%27%29%3
C%2Fscript%3E&cat=0&x=95&y=13&RequestTimeOut=500&redi
r=listings&srchby=fr&scat=0
/local.cfm?srchfor=&cat=0&x=78&y=22&RequestTimeOut=50
0&redir=listings&srchby=%22%3Cscript%3Ealert('r0t')%3
C/script%3E
Attacker while testing for sql attacks , with errors will get full
install. path and other sensitive/usefull* inforamtion.
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/