Name: PHP-Fusion <= 6.01.15 Multiple Vulnerabilities
Vendor: http://php-fusion.co.uk/
Credits: charles "real" F. <charlesfol[at]hotmail.fr> (http://realn.free.fr/)
Date: 08/05/08
XSS Vulnerability
40| $pres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE
| photo_order='".($data['photo_order']-1)."' AND album_id='".$data['album_id']."'");
41| $nres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE
| photo_order='".($data['photo_order']+1)."' AND album_id='".$data['album_id']."'");
42| if (dbrows($pres)) $prev = dbarray($pres);
43| if (dbrows($nres)) $next = dbarray($nres);
…
54| if ((isset($prev['photo_id']) && isNum($prev['photo_id']))
| || (isset($next['photo_id']) && isNum($next['photo_id']))) {
55| if (isset($prev)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF
| ."?photo_id=".$prev['photo_id']."' title='".$locale['451']."'><<</a></td>\n";
56| if (isset($next)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF
| ."?photo_id=".$next['photo_id']."' title='".$locale['452']."'>>></a></td>\n";
57| }
If dbrows($pres) <= 0, we can set ourself $prev value, an then exploit an XSS vulnerability.
Proof of Concept: ./photogallery.php?photo_id=1&prev[photo_id]='>[XSS]
Var overwrite / IP Falsification (register_globals = Off)
± maincore.php
14| // If register_globals is turned off, extract super globals (php 4.2.0+)
15| if (ini_get('register_globals') != 1) {
16| if ((isset($_POST) == true) && (is_array($_POST) == true)) extract($_POST, EXTR_OVERWRITE);
17| if ((isset($_GET) == true) && (is_array($_GET) == true)) extract($_GET, EXTR_OVERWRITE);
18| }
…
62| define("USER_IP", $_SERVER['REMOTE_ADDR']);
In maincore, we can, thanks to extract(), overwrite vars like $_SERVER array, for example $_SERVER['REMOTE_ADDR'].
In general, register_globals emulation is very badly done, and often leads to var overwrite,
so using EXTR_SKIP is a bit more secure.
SQL Injection Vulnerability
(mgc_q_gpc & register_globals = Off)
± subheader.php
17| if (iMEMBER) $result = dbquery("UPDATE ".$db_prefix."users SET user_lastvisit='".time()
| ."', user_ip='".USER_IP."' WHERE user_id='".$userdata['user_id']."'");
In maincore, we can, thanks to extract(), overwrite vars like $_SERVER['REMOTE_ADDR'] (see 02).
Then, with mgc_q_gpc = Off, it's easy to do SQL Injection like in subheader.php.
I didn't do any exploit cuz it is very rare to find this, because of php requirements.
But the subheader.php query seems the most interesting, because it concerns fusion_user table.
Conclusion
This advisory does not present all PHP-Fusion vulnerabilities, but can lead to critical attacks,
using the admin panel.
Now you're on your own, have fun ;)