[UNIX] PHP Fusion CMS Multiple Vulnerabilities (subheader.php, options.php)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/21/05

  • Next message: SecuriTeam: "[UNIX] WHM AutoPilot Privileges Escalation" 
    To: list@securiteam.com
Date: 21 Nov 2005 16:25:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PHP Fusion CMS Multiple Vulnerabilities (subheader.php, options.php)
    ------------------------------------------------------------------------

    SUMMARY

     <http://php-fusion.co.uk/> PHP-Fusion - "...a light-weight open-source
    content management system (CMS) written in PHP. It utilises a mySQL
    database to store your site content and includes a simple, comprehensive
    adminstration system. PHP-Fusion includes the most common features you
    would expect to see in many other CMS packages...."

    An SQL injection and a path disclosure vulnerabilities have been
    discovered in PHP Fusion CMS.

    DETAILS

    Vulnerable Systems:
     * PHP-Fusion versions 6.00.206 and prior

    Path disclosure in /subheader.php:
    Although PHP-Fusion has a good protection against path disclosure, it
    looks like they've forgotten to include this protection here.

    SQL Injection in /forum/options.php:
    if (iMEMBER) {
          $data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE
    forum_id='".$forum_id."'"));

    If the Forum is activated and you are logged in you can insert malicious
    code into the database trough the $forum_id variable.

    /forum/viewforum.php?forum_id=4&lastvisited='[SQL injection]

    SQL Injection in /forum/viewforum.php:
    if (empty($lastvisited)) { $lastvisited = time(); }
    [...]

    $new_posts = dbcount("(post_id)", "posts",
    "thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'");

    To exploit this vulnerability you have to be logged out and a minimum of
    one thread should be posted in the forum. Malicious code can be inserted
    by requesting the following HTTP-request:

    http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited='

    Workaround:
    Set magic_quotes_gpc to ON.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:r.verton@gmail.com> Robin
    Verton.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] WHM AutoPilot Privileges Escalation"

    Relevant Pages