PHP-Fusion forums_prune.php Path Disclosure

2004-08-17T00:00:00
ID OSVDB:9034
Type osvdb
Reporter y3dips(y3dips@echo.or.id)
Modified 2004-08-17T00:00:00

Description

Vulnerability Description

PHP-Fusion contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker accesses the forums_prune.php script without any arguments, which will disclose the full install path resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHP-Fusion contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker accesses the forums_prune.php script without any arguments, which will disclose the full install path resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/fusion/fusion_admin/updateuser.php http://[victim]/fusion/fusion_admin/forums_prune.php

References:

Vendor URL: http://sourceforge.net/projects/php-fusion/ Security Tracker: 1010983 Secunia Advisory ID:12336 Related OSVDB ID: 9032 Related OSVDB ID: 9033 Other Advisory URL: http://echo.or.id/adv/adv04-y3dips-2004.txt CVE-2004-1723