<<< Date Index >>>     <<< Thread Index >>>

PHP-Fusion <= 6.00.206 Multiple Vulnerabilities



PHP-Fusion <= 6.00.206 Multiple Vulnerabilities 
===============================================

   Software: PHP-Fusion <= 6.00.206
   Severity: SQL Injection(s), Path disclosure
   Risk: High
   Author: Robin Verton <r.verton@xxxxxxxxx>
   Date: Nov. 16 2005
   Vendor: http://sourceforge.net/projects/php-fusion/


   Description:

        "...a light-weight open-source content management system (CMS) written 
in PHP. 
        It utilises a mySQL database to store your site content and includes a 
simple, 
        comprehensive adminstration system. PHP-Fusion includes the most common 
features 
        you would expect to see in many other CMS packages...."
        [http://php-fusion.co.uk/]


   Details:

        1) /subheader.php
          Although PHP-Fusion has a good protection against path discolure, it 
looks like they've forgetten to
          include this protection here.

        2) /forum/options.php

          if (iMEMBER) {
                $data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums 
WHERE forum_id='".$forum_id."'"));


          If the Forum is activated and you are logged in you can insert 
malicious code into the databse 
          trough the $forum_id variable.

        
          /forum/viewforum.php?forum_id=4&lastvisited='[SQL injection]

        3) /forum/viewforum.php

        if (empty($lastvisited)) { $lastvisited = time(); }

        [...]

        $new_posts = dbcount("(post_id)", "posts", 
"thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'");

        To exploit this vulnerability you have to be logged out and a minimum 
of one thread should be
        posted in this forum.
        Malicious code can be inserted by requesting the following HTTP-request:

        http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited='
           
           
   Patch:
          Set magic_quotes_gpc to ON.
  
   Credits:

        Credit goes to Robin Verton

   References:

        [1] http://sourceforge.net/projects/php-fusion/
        [2] http://myblog.it-security23.net