Bug: PHP-Fusion <= 6.00.206 Multiple Vulnerabilities ( Ascii Version )

Search:
WLB2

PHP-Fusion <= 6.00.206 Multiple Vulnerabilities

Published
Credit
Risk
2005.11.19
r verton gmail com
Medium
CWE
CVE
Local
Remote
N/A
CVE-2006-2331
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

PHP-Fusion <= 6.00.206 Multiple Vulnerabilities
===============================================

Software: PHP-Fusion <= 6.00.206
Severity: SQL Injection(s), Path disclosure
Risk: High
Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]>
Date: Nov. 16 2005
Vendor: http://sourceforge.net/projects/php-fusion/

Description:

"...a light-weight open-source content management system (CMS) written in PHP.
It utilises a mySQL database to store your site content and includes a simple,
comprehensive adminstration system. PHP-Fusion includes the most common features
you would expect to see in many other CMS packages...."
[http://php-fusion.co.uk/]

Details:

1) /subheader.php
Although PHP-Fusion has a good protection against path discolure, it looks like they've forgetten to
include this protection here.

2) /forum/options.php

if (iMEMBER) {
$data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE
forum_id='".$forum_id."'"));

If the Forum is activated and you are logged in you can insert malicious code into the databse
trough the $forum_id variable.

/forum/viewforum.php?forum_id=4&lastvisited='[SQL injection]

3) /forum/viewforum.php

if (empty($lastvisited)) { $lastvisited = time(); }

[...]

$new_posts = dbcount("(post_id)", "posts", "thread_id='".$data['thread_id']."' and
post_datestamp>'$lastvisited'");

To exploit this vulnerability you have to be logged out and a minimum of one thread should be
posted in this forum.
Malicious code can be inserted by requesting the following HTTP-request:

http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited='


Patch:
Set magic_quotes_gpc to ON.

Credits:

Credit goes to Robin Verton

References:

[1] http://sourceforge.net/projects/php-fusion/
[2] http://myblog.it-security23.net

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version