PHP-Fusion <= 6.00.206 Multiple Vulnerabilities

2005.11.19
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

PHP-Fusion <= 6.00.206 Multiple Vulnerabilities =============================================== Software: PHP-Fusion <= 6.00.206 Severity: SQL Injection(s), Path disclosure Risk: High Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]> Date: Nov. 16 2005 Vendor: http://sourceforge.net/projects/php-fusion/ Description: "...a light-weight open-source content management system (CMS) written in PHP. It utilises a mySQL database to store your site content and includes a simple, comprehensive adminstration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages...." [http://php-fusion.co.uk/] Details: 1) /subheader.php Although PHP-Fusion has a good protection against path discolure, it looks like they've forgetten to include this protection here. 2) /forum/options.php if (iMEMBER) { $data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE forum_id='".$forum_id."'")); If the Forum is activated and you are logged in you can insert malicious code into the databse trough the $forum_id variable. /forum/viewforum.php?forum_id=4&lastvisited='[SQL injection] 3) /forum/viewforum.php if (empty($lastvisited)) { $lastvisited = time(); } [...] $new_posts = dbcount("(post_id)", "posts", "thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'"); To exploit this vulnerability you have to be logged out and a minimum of one thread should be posted in this forum. Malicious code can be inserted by requesting the following HTTP-request: http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited=' Patch: Set magic_quotes_gpc to ON. Credits: Credit goes to Robin Verton References: [1] http://sourceforge.net/projects/php-fusion/ [2] http://myblog.it-security23.net


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top