Some vulnerabilities have been discovered in TomatoCMS 2.0.4 and earlier, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct SQL injection attacks.

Script insertion

The following can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed:

1) Input passed via the "content" parameter to index.php/admin/poll/add is not properly sanitised before being displayed to the user. Successful exploitation requires "Create new poll" permissions.

2) Input passed via the "meta" parameter to index.php/admin/category/add is not properly sanitised before being displayed to the user. Successful exploitation requires "Create new category" permissions.

3) Input passed via the "keyword" parameter to index.php/admin/tag/add is not properly sanitised before being displayed to the user. Successful exploitation requires "Create new tag" permissions.

4) Input passed via the "title", "subTitle", and "author" parameters to index.php/admin/news/article/add is not properly sanitised before being displayed to the user. Successful exploitation requires "Add new article" permissions. Discovered by Secunia during disclosure analysis.

SQLi

Input passed via the "q" parameter to index.php/news/search is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Discovered by Secunia during disclosure analysis.

The vulnerabilities are confirmed in version 2.0.4. Prior versions may also be affected.

References:

CVE-2010-1994, 1995, 1996

BID: 40108

FrSIRT: N/A

Nessus:N/A

OSVDB: 64550 , 64551 , 64552 , 64553 , 64554

SA: 39320

XF: 58492, 58491, 58475  

Related: 

Vendor Solution:Upgrade to 2.0.5