PHP-Fusion <= 6.01.15 Multiple Vulnerabilities

2008-05-11T00:00:00
ID SECURITYVULNS:DOC:19827
Type securityvulns
Reporter Securityvulns
Modified 2008-05-11T00:00:00

Description

Name: PHP-Fusion <= 6.01.15 Multiple Vulnerabilities Vendor: http://php-fusion.co.uk/ Credits: charles "real" F. <charlesfol[at]hotmail.fr> (http://realn.free.fr/)
Date: 08/05/08

  1. XSS Vulnerability

    40| $pres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE | photo_order='".($data['photo_order']-1)."' AND album_id='".$data['album_id']."'"); 41| $nres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE | photo_order='".($data['photo_order']+1)."' AND album_id='".$data['album_id']."'"); 42| if (dbrows($pres)) $prev = dbarray($pres); 43| if (dbrows($nres)) $next = dbarray($nres); ... 54| if ((isset($prev['photo_id']) && isNum($prev['photo_id'])) | || (isset($next['photo_id']) && isNum($next['photo_id']))) { 55| if (isset($prev)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF | ."?photo_id=".$prev['photo_id']."' title='".$locale['451']."'>&lt;&lt;</a></td>\n"; 56| if (isset($next)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF | ."?photo_id=".$next['photo_id']."' title='".$locale['452']."'>&gt;&gt;</a></td>\n"; 57| }

    If dbrows($pres) <= 0, we can set ourself $prev value, an then exploit an XSS vulnerability.

    Proof of Concept: ./photogallery.php?photo_id=1&prev[photo_id]='>[XSS]

  2. Var overwrite / IP Falsification (register_globals = Off)

    +- maincore.php 14| // If register_globals is turned off, extract super globals (php 4.2.0+) 15| if (ini_get('register_globals') != 1) { 16| if ((isset($_POST) == true) && (is_array($_POST) == true)) extract($_POST, EXTR_OVERWRITE); 17| if ((isset($_GET) == true) && (is_array($_GET) == true)) extract($_GET, EXTR_OVERWRITE); 18| } ... 62| define("USER_IP", $_SERVER['REMOTE_ADDR']);

    In maincore, we can, thanks to extract(), overwrite vars like $_SERVER array, for example $_SERVER['REMOTE_ADDR']. In general, register_globals emulation is very badly done, and often leads to var overwrite, so using EXTR_SKIP is a bit more secure.

  3. SQL Injection Vulnerability (mgc_q_gpc & register_globals = Off)

    +- subheader.php 17| if (iMEMBER) $result = dbquery("UPDATE ".$db_prefix."users SET user_lastvisit='".time() | ."', user_ip='".USER_IP."' WHERE user_id='".$userdata['user_id']."'");

    In maincore, we can, thanks to extract(), overwrite vars like $_SERVER['REMOTE_ADDR'] (see 02). Then, with mgc_q_gpc = Off, it's easy to do SQL Injection like in subheader.php.

    I didn't do any exploit cuz it is very rare to find this, because of php requirements. But the subheader.php query seems the most interesting, because it concerns fusion_user table.

  4. Conclusion

    This advisory does not present all PHP-Fusion vulnerabilities, but can lead to critical attacks, using the admin panel. Now you're on your own, have fun ;)