Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19827
HistoryMay 11, 2008 - 12:00 a.m.

PHP-Fusion <= 6.01.15 Multiple Vulnerabilities

2008-05-1100:00:00
vulners.com
38
JSON

Name: PHP-Fusion <= 6.01.15 Multiple Vulnerabilities
Vendor: http://php-fusion.co.uk/
Credits: charles "real" F. <charlesfol[at]hotmail.fr> (http://realn.free.fr/&#41;
Date: 08/05/08

  1. XSS Vulnerability

    40| $pres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE
    | photo_order='".($data['photo_order']-1)."' AND album_id='".$data['album_id']."'");
    41| $nres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE
    | photo_order='".($data['photo_order']+1)."' AND album_id='".$data['album_id']."'");
    42| if (dbrows($pres)) $prev = dbarray($pres);
    43| if (dbrows($nres)) $next = dbarray($nres);

    54| if ((isset($prev['photo_id']) && isNum($prev['photo_id']))
    | || (isset($next['photo_id']) && isNum($next['photo_id']))) {
    55| if (isset($prev)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF
    | ."?photo_id=".$prev['photo_id']."' title='".$locale['451']."'>&lt;&lt;</a></td>\n";
    56| if (isset($next)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF
    | ."?photo_id=".$next['photo_id']."' title='".$locale['452']."'>&gt;&gt;</a></td>\n";
    57| }

    If dbrows($pres) <= 0, we can set ourself $prev value, an then exploit an XSS vulnerability.

    Proof of Concept: ./photogallery.php?photo_id=1&prev[photo_id]='>[XSS]

  2. Var overwrite / IP Falsification (register_globals = Off)

    ± maincore.php
    14| // If register_globals is turned off, extract super globals (php 4.2.0+)
    15| if (ini_get('register_globals') != 1) {
    16| if ((isset($_POST) == true) && (is_array($_POST) == true)) extract($_POST, EXTR_OVERWRITE);
    17| if ((isset($_GET) == true) && (is_array($_GET) == true)) extract($_GET, EXTR_OVERWRITE);
    18| }

    62| define("USER_IP", $_SERVER['REMOTE_ADDR']);

    In maincore, we can, thanks to extract(), overwrite vars like $_SERVER array, for example $_SERVER['REMOTE_ADDR'].
    In general, register_globals emulation is very badly done, and often leads to var overwrite,
    so using EXTR_SKIP is a bit more secure.

  3. SQL Injection Vulnerability
    (mgc_q_gpc & register_globals = Off)

    ± subheader.php
    17| if (iMEMBER) $result = dbquery("UPDATE ".$db_prefix."users SET user_lastvisit='".time()
    | ."', user_ip='".USER_IP."' WHERE user_id='".$userdata['user_id']."'");

    In maincore, we can, thanks to extract(), overwrite vars like $_SERVER['REMOTE_ADDR'] (see 02).
    Then, with mgc_q_gpc = Off, it's easy to do SQL Injection like in subheader.php.

    I didn't do any exploit cuz it is very rare to find this, because of php requirements.
    But the subheader.php query seems the most interesting, because it concerns fusion_user table.

  4. Conclusion

    This advisory does not present all PHP-Fusion vulnerabilities, but can lead to critical attacks,
    using the admin panel.
    Now you're on your own, have fun ;)

JSON