[UNIX] PHP-FUSION Various Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/22/04

  • Next message: SecuriTeam: "[UNIX] Mantis Bug Tracker Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 22 Aug 2004 17:26:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PHP-FUSION Various Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    " <http://sourceforge.net/projects/php-fusion/> PHP-Fusion is an
    all-in-one content management system (CMS) written in PHP4. It uses a
    MySQL database to store all of it's content such as News, Articles, Forum
    Posts, Shoutbox Posts and more."

    Multiple varied vulnerabilities were found in PHP-FUSION. The
    vulnerabilities range from simple path disclosure to script direct access
    and even gaining administrative access.

    DETAILS

    Vulnerable Systems:
     * PHP-FUSION version 4.00

    The full path to the CMS can be found because scripts are not protected
    against direct access. In such an event, sending an invalid query will
    return a standard error from the backend DB server.

     * First script is at fusion_admin/updateuser.php.

    Example:
    http://localhost/fusion/fusion_admin/updateuser.php

    The output generated is roughly:
    Warning: main(fusion_langdiradmin/admin_members.php): failed to open
    stream:
    No such file or directory in
    /var/www/html/fusion/fusion_admin/updateuser.php on line 14

    Fatal error: main(): Failed opening required
    'fusion_langdiradmin/admin_members.php'
    (include_path='.:/usr/share/pear') in
    /var/www/html/fusion/fusion_admin/updateuser.php on line 14

     * Second script is at fusion_admin/forums_prune.php.

    Example:
    http://localhost/fusion/fusion_admin/forums_prune.php

    The output generated is roughly:
    Fatal error: Call to undefined function:
    opentable() in /var/www/html/fusion/fusion_admin/forums_prune.php on line
    14

    It is also possible to download or view the DB backup file from the DB and
    use that to gain admin access. The readme file states:
    1 - CHMOD the following folders to 0777:
            - ---
            - fusion_admin/db_backups
            - ---

    Which means that the db_backups file is browse-able and can be easily
    retrieved

    Examples:
        - backup_2004-08-17_1845.sql
        - backup_2004-08-17_1845.sql.gz
        - backup_year-month-day_time.sql
        - backup_year-month-day_time.sql.gz

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:y3dips@echo.or.id> Ahmad
    Muammar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Mantis Bug Tracker Multiple Vulnerabilities"

    Relevant Pages