phpFusion600206.txt

`PHP-Fusion <= 6.00.206 Multiple Vulnerabilities   
===============================================  
  
Software: PHP-Fusion <= 6.00.206  
Severity: SQL Injection(s), Path disclosure  
Risk: High  
Author: Robin Verton <[email protected]>  
Date: Nov. 16 2005  
Vendor: http://sourceforge.net/projects/php-fusion/  
  
  
Description:  
  
"...a light-weight open-source content management system (CMS) written in PHP.   
It utilises a mySQL database to store your site content and includes a simple,   
comprehensive adminstration system. PHP-Fusion includes the most common features   
you would expect to see in many other CMS packages...."  
[http://php-fusion.co.uk/]  
  
  
Details:  
  
1) /subheader.php  
Although PHP-Fusion has a good protection against path discolure, it looks like they've forgetten to  
include this protection here.  
  
2) /forum/options.php  
  
if (iMEMBER) {  
$data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE forum_id='".$forum_id."'"));  
  
  
If the Forum is activated and you are logged in you can insert malicious code into the databse   
trough the $forum_id variable.  
  
  
/forum/viewforum.php?forum_id=4&lastvisited='[SQL injection]  
  
3) /forum/viewforum.php  
  
if (empty($lastvisited)) { $lastvisited = time(); }  
  
[...]  
  
$new_posts = dbcount("(post_id)", "posts", "thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'");  
  
To exploit this vulnerability you have to be logged out and a minimum of one thread should be  
posted in this forum.  
Malicious code can be inserted by requesting the following HTTP-request:  
  
http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited='  
  
  
Patch:  
Set magic_quotes_gpc to ON.  
  
Credits:  
  
Credit goes to Robin Verton  
  
References:  
  
[1] http://sourceforge.net/projects/php-fusion/  
[2] http://myblog.it-security23.net  
`