Cartweaver ColdFusion vuln.
###############################################
Vuln. discovered by : r0t
Date: 25 april 2006
vendorlink:www.cartweaver.com
affected versions:2.16.11 and previous
orginal advisory:http://pridels.blogspot.com/2006/04/cartweaver-coldfusion-vuln.html
###############################################
Vuln. Description:
Cartweaver ColdFusion contains a flaw that allows a remote sql
injection attacks.Input passed to the "category" parameter in
"Results.cfm" isn't properly sanitised before being used in a SQL
query and Input passed to the "ProdID" parameter in "Details.cfm"
isn't properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
examples:
/Results.cfm?category=[sQL]
/Details.cfm?ProdID=[SQL]
The problem is that it is possible to disclose the full path to the
installation by supplying an invalid
"secondary","PageNum_Results","category" parameter in "Results.cfm"
and "ProdID" parameter in "Details.cfm" .
examples:
/Results.cfm?PageNum_Results=&category=&secondary=[CODE]
/Results.cfm?PageNum_Results=[CODE]
/Details.cfm?ProdID=[CODE]
/Results.cfm?category=[CODE]
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/