lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051118110646.7846.qmail@securityfocus.com>
Date: 18 Nov 2005 11:06:46 -0000
From: r.verton@...il.com
To: bugtraq@...urityfocus.com
Subject: PHP-Fusion <= 6.00.206 Multiple Vulnerabilities


PHP-Fusion <= 6.00.206 Multiple Vulnerabilities 
===============================================

   Software: PHP-Fusion <= 6.00.206
   Severity: SQL Injection(s), Path disclosure
   Risk: High
   Author: Robin Verton <r.verton@...il.com>
   Date: Nov. 16 2005
   Vendor: http://sourceforge.net/projects/php-fusion/


   Description:

	"...a light-weight open-source content management system (CMS) written in PHP. 
	It utilises a mySQL database to store your site content and includes a simple, 
	comprehensive adminstration system. PHP-Fusion includes the most common features 
	you would expect to see in many other CMS packages...."
	[http://php-fusion.co.uk/]


   Details:

	1) /subheader.php
	  Although PHP-Fusion has a good protection against path discolure, it looks like they've forgetten to
	  include this protection here.

	2) /forum/options.php

	  if (iMEMBER) {
		$data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE forum_id='".$forum_id."'"));


	  If the Forum is activated and you are logged in you can insert malicious code into the databse 
	  trough the $forum_id variable.

	
	  /forum/viewforum.php?forum_id=4&lastvisited='[SQL injection]

	3) /forum/viewforum.php

	if (empty($lastvisited)) { $lastvisited = time(); }

	[...]

	$new_posts = dbcount("(post_id)", "posts", "thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'");

	To exploit this vulnerability you have to be logged out and a minimum of one thread should be
	posted in this forum.
	Malicious code can be inserted by requesting the following HTTP-request:

	http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited='
	   
	   
   Patch:
          Set magic_quotes_gpc to ON.
  
   Credits:

	Credit goes to Robin Verton

   References:

	[1] http://sourceforge.net/projects/php-fusion/
	[2] http://myblog.it-security23.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ