<<< Date Index >>>     <<< Thread Index >>>

XSS&Sql injection attack in PHP-Fusion 6.00.3 Released



XSS&Sql injection attack in PHP-Fusion 6.00.3 Released
Web page:http://www.php-fusion.co.uk/

Author:krasza[krasza@xxxxxxxxx]

1.Description
(...)"PHP-Fusion is a constantly evolving content management system (CMS) 
powered by PHP 4 and mySQL. It provides an easy to install system with a simple 
yet powerful set of administrative controls. This means you will have an easy 
to maintain interactive community website without requiring any knowledge of 
web programming."

2.XSS
When You are logged in, You can pass the XSS attack.
http://127.0.0.1/[fushion]/members.php?sortby=%3Ciframe%20src=http://securityreason.com%20%3C
After introduce this URL You should see the small frame with this site:
http://securityreason.com

3.Sql injection attack
If magic_quotes_gpc=off and You are logged in, You can pass the sql injection 
attack. This bug its hard enough to pass and surely we cannot admit as 
critical. Error appear in every file making possible estimation, because all of 
modules add includes/ratings_include.php and there is the bug.(...)
if (isset($_POST['post_rating'])) {
  if ($_POST['rating'] > 0) {
   $result = dbquery("INSERT INTO ".DB_PREFIX."ratings (rating_item_id, 
rating_type, rating_user, rating_vote, rating_datestamp, rating_ip) VALUES 
('$rating_item_id', '$rating_type', '".$userdata['user_id']."', 
'".$_POST['rating']."', '".time()."', '".USER_IP."')");
  }
(...)

Notice that the variable $_POST['post_rating'] is not  given of the filtration 
what causes, that one can her properly change and pass sql injection with the 
question INSERT. Exploit is accessible an address:
>>>http://securityreason.com/exploitalert/182<<<


Greets:
-http://www.securityreason.com
-Snak3 from netmore


krasza
krasza@xxxxxxxxx
http://www.krewniacy.pl