|
|
|
>>
VUPEN Security / Public Mailing Lists Mirror |
Assigned : VUPEN/ADV-2005-2504
From : r.verton at gmail.com
Subject : PHP-Fusion <= 6.00.206 Multiple Vulnerabilities
Date : 2005-11-18
Original Message
PHP-Fusion <= 6.00.206 Multiple Vulnerabilities
===============================================
Software: PHP-Fusion <= 6.00.206
Severity: SQL Injection(s), Path disclosure
Risk: High
Author: Robin Verton <r.verton@gmail.com>
Date: Nov. 16 2005
Vendor: http://sourceforge.net/projects/php-fusion/
Description:
"...a light-weight open-source content management system (CMS) written in PHP.
It utilises a mySQL database to store your site content and includes a simple,
comprehensive adminstration system. PHP-Fusion includes the most common features
you would expect to see in many other CMS packages...."
[http://php-fusion.co.uk/]
Details:
1) /subheader.php
Although PHP-Fusion has a good protection against path discolure, it looks like they've forgetten to
include this protection here.
2) /forum/options.php
if (iMEMBER) {
$data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE forum_id='".$forum_id."'"));
If the Forum is activated and you are logged in you can insert malicious code into the databse
trough the $forum_id variable.
/forum/viewforum.php?forum_id=4&lastvisited='[SQL injection]
3) /forum/viewforum.php
if (empty($lastvisited)) { $lastvisited = time(); }
[...]
$new_posts = dbcount("(post_id)", "posts", "thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'");
To exploit this vulnerability you have to be logged out and a minimum of one thread should be
posted in this forum.
Malicious code can be inserted by requesting the following HTTP-request:
http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited='
Patch:
Set magic_quotes_gpc to ON.
Credits:
Credit goes to Robin Verton
References:
[1] http://sourceforge.net/projects/php-fusion/
[2] http://myblog.it-security23.net
Disclaimer : VUPEN Security does not endorse the content of this
message submitted by others to public mailinglists. Messages submitted to public
mailinglists do not necessarily reflect the opinions or policies of VUPEN Security.
VUPEN Security makes no warranties, express or implied, as to the content of the message
in this page or the accuracy and reliability of any messages and other materials
submitted to public mailinglists. Any questions or comments regarding this page
should be sent to
team@vupen.com
|
|
|
|
|
|
Monthly Statistics |
 |
|
|
|
| |
|
Try VUPEN
VNS |
 |
|
 |
|
| |
|
 |
| |
|
|
|
|
