FusionPHP Fusion News Img Tag Arbitrary Command Execution

2004-07-29T03:08:50
ID OSVDB:8322
Type osvdb
Reporter Joseph Moniz(r3d_5pik3@yahoo.com)
Modified 2004-07-29T03:08:50

Description

Vulnerability Description

FusionPHP Fusion News contains a flaw that may allow a malicious user to execute abitrary commands by embedding a specially crafted BBCode image tag URL into a comment. The issue is triggered when an administrator views the comment while logged in. It is possible that the flaw may allow the creation of user accounts resulting in a loss of confidentiality, integrity, and/or availability.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

FusionPHP Fusion News contains a flaw that may allow a malicious user to execute abitrary commands by embedding a specially crafted BBCode image tag URL into a comment. The issue is triggered when an administrator views the comment while logged in. It is possible that the flaw may allow the creation of user accounts resulting in a loss of confidentiality, integrity, and/or availability.

Manual Testing Notes

Post a comment with the BBCode image tag URL format shown:

[img]http://[victim]/news/index.php?id=signup&username=example&email=user@example.com&password=password&icon=&le=3&timeoffset=1[/img]

If the administrator has recently logged in this vulnerability can be remotely exploited by convincing the admin to visit a website with a malicious <img> tag such as the following:

<img src="http://[victim]/phpfusion/index.php?id=signup&username=example&email=user@example.com&password=password&icon=&le=3&timeoffset=1" size="1" width="1">

References:

Vendor URL: http://www.fusionphp.net/ Security Tracker: 1010829 Packet Storm: http://packetstormsecurity.org/0408-advisories/fusionPHP361.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0347.html ISS X-Force ID: 16853 CVE-2004-1703 Bugtraq ID: 10836