lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 22 Dec 2005 21:36:32 -0000
From: krasza@...il.com
To: bugtraq@...urityfocus.com
Subject: XSS&Sql injection attack in PHP-Fusion 6.00.3 Released


XSS&Sql injection attack in PHP-Fusion 6.00.3 Released
Web page:http://www.php-fusion.co.uk/

Author:krasza[krasza@...il.com]

1.Description
(...)"PHP-Fusion is a constantly evolving content management system (CMS) powered by PHP 4 and mySQL. It provides an easy to install system with a simple yet powerful set of administrative controls. This means you will have an easy to maintain interactive community website without requiring any knowledge of web programming."

2.XSS
When You are logged in, You can pass the XSS attack.
http://127.0.0.1/[fushion]/members.php?sortby=%3Ciframe%20src=http://securityreason.com%20%3C
After introduce this URL You should see the small frame with this site:
http://securityreason.com

3.Sql injection attack
If magic_quotes_gpc=off and You are logged in, You can pass the sql injection attack. This bug its hard enough to pass and surely we cannot admit as critical. Error appear in every file making possible estimation, because all of modules add includes/ratings_include.php and there is the bug.(...)
if (isset($_POST['post_rating'])) {
  if ($_POST['rating'] > 0) {
   $result = dbquery("INSERT INTO ".DB_PREFIX."ratings (rating_item_id, rating_type, rating_user, rating_vote, rating_datestamp, rating_ip) VALUES ('$rating_item_id', '$rating_type', '".$userdata['user_id']."', '".$_POST['rating']."', '".time()."', '".USER_IP."')");
  }
(...)

Notice that the variable $_POST['post_rating'] is not  given of the filtration what causes, that one can her properly change and pass sql injection with the question INSERT. Exploit is accessible an address:
>>>http://securityreason.com/exploitalert/182<<<


Greets:
-http://www.securityreason.com
-Snak3 from netmore


krasza
krasza@...il.com
http://www.krewniacy.pl

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ