CFWebstore Input Validation Bugs Let Remote Users Inject SQL Commands and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1009403|
SecurityTracker URL: http://securitytracker.com/id/1009403
(Links to External Site)
Date: Mar 12 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Some vulnerabilities were reported in CFWebstore. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.|
S-Quadra reported that the 'index.cfm' script does not properly filter user-supplied input in the 'category_id', 'product_id', and 'feature_id' parameters. A remote user can supply a specially crafted URL to execute SQL queries on the target system, the report said. A remote user can reportedly invoke the xp_cmdshell() function to execute arbitrary operating system commands on the target system.
It is also reported that a remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CFWebstore software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor was reportedly notified on March 4, 2004.
A remote user can inject SQL commands to execute arbitrary operating system commands on the target system.|
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CFWebstore software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has released a fixed version (5.0.1). Contact the vendor for an update:|
Vendor URL: www.cfwebstore.com/whatsnewdetail.cfm?WhatsNew__WhatsNewID=43 (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [Full-Disclosure] Dogpatch Software CFWebstore 5.0 shopping cart software multiple|
S-Quadra Advisory #2004-03-12
Topic: Dogpatch Software CFWebstore 5.0 shopping cart software multiple
Vendor URL: http://www.cfwebstore.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040312.txt
Release date: 12 Mar 2004
written in Cold Fusion. Customize the templates or utilize the built-in
settings to create your own custom store. CFWebstore can handle just about
anything you want to accomplish in putting your business on the web!" -
www.cfwebstore.com site says. Please visit www.cfwebstore.com site for more
information about this software.
-- Vulnerability 1: SQL Injection vulnerability
An SQL Injection vulnerability has been found in the index.cfm script.
supplied input parameters named 'category_id', 'product_id' and
not filtered before being used in a SQL query. Consequently, query
using malformed input is possible.
Successful exploitation of this vulnerability can enable an attacker to
commands in the system (via MS SQL xp_cmdshell function).
-- Vulnerability 2: Cross Site Scripting vulnerability in 'index.cfm'
user to visit
it a remote attacker can steal user session id and gain access to user's
3. FIX INFORMATION
S-Quadra alerted CFWebstore development team on these issues on 04 Mar
Dogpatch Software response:
"The 5.0.1 version of CFWebstore has been released which addresses all the
security issues previously mentioned. We recoded the validation we were
a more standard method and added additional validations for some areas
not been mentioned, due to our use of the Fusebox methodology, which
user with knowledge of the application to tap into areas other than through
typical URL variables."
Nick Gudov, chief security researcher at S-Quadra <firstname.lastname@example.org> has
detected above mentioned vulnerabilities.
S-Quadra dedicates its substantial knowledge and resources to managing
clients' IT security risks. S-Quadra audits and protection for software
and networks implement pioneering methods and ground-breaking
S-Quadra Advisory #2004-03-12
Full-Disclosure - We believe in it.