Computer Security

Security Advisory: PHP-Fusion <= 6.01.15 Multiple Vulnerabilities
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  OtherLogic[vocourse.
php]SQL Injection Exploit

  SazCart <= 1.5.1 (prodid) Remote SQL Injection Exploit

  XSS and CSRF vulnerability on Cpanel 11

From:Charles "real" F. <charlesfol_(at)_hotmail.fr>
Date:11.05.2008
Subject:PHP-Fusion <= 6.01.15 Multiple Vulnerabilities

Name:    PHP-Fusion <= 6.01.15 Multiple Vulnerabilities
Vendor:  http://php-fusion.co.uk/
Credits: charles "real" F. <charlesfol[at]hotmail.fr> (http://realn.free.fr/)  
Date:    08/05/08
   
     
01. XSS Vulnerability
   
   40| $pres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE
     | photo_order='".($data['photo_order']-1)."' AND album_id='".$data['album_id']."'");
   41| $nres = dbquery("SELECT photo_id FROM ".$db_prefix."photos WHERE
     | photo_order='".($data['photo_order']+1)."' AND album_id='".$data['album_id']."'");
   42| if (dbrows($pres)) $prev = dbarray($pres);
   43| if (dbrows($nres)) $next = dbarray($nres);
   ...
   54| if ((isset($prev['photo_id']) && isNum($prev['photo_id']))
     | || (isset($next['photo_id']) && isNum($next['photo_id']))) {
   55|     if (isset($prev)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF
     | ."?photo_id=".$prev['photo_id']."' title='".$locale['451'].
"'>&lt;&lt;</a></td>\n";
   56|     if (isset($next)) echo "<td width='1%' class='tbl2'><a href='".FUSION_SELF
     | ."?photo_id=".$next['photo_id']."' title='".$locale['452'].
"'>&gt;&gt;</a></td>\n";
   57| }
   
   If dbrows($pres) <= 0, we can set ourself $prev value, an then exploit an XSS vulnerability.
   
   Proof of Concept: ./photogallery.php?photo_id=1&prev[photo_id]='>[XSS]


02. Var overwrite / IP Falsification (register_globals = Off)

     +- maincore.php
   14| // If register_globals is turned off, extract super globals (php 4.2.0+)
   15| if (ini_get('register_globals') != 1) {
   16|     if ((isset($_POST) == true) && (is_array($_POST) == true)) extract($_POST, EXTR_OVERWRITE);
   17|     if ((isset($_GET) == true) && (is_array($_GET) == true)) extract($_GET, EXTR_OVERWRITE);
   18| }
   ...
   62| define("USER_IP", $_SERVER['REMOTE_ADDR']);
   
   In maincore, we can, thanks to extract(), overwrite vars like $_SERVER array, for example $_SERVER['REMOTE_ADDR'].
   In general, register_globals emulation is very badly done, and often leads to var overwrite,
   so using EXTR_SKIP is a bit more secure.
   

03. SQL Injection Vulnerability
  (mgc_q_gpc & register_globals = Off)
   
     +- subheader.php
   17| if (iMEMBER) $result = dbquery("UPDATE ".$db_prefix."users SET user_lastvisit='".time()
     | ."', user_ip='".USER_IP."' WHERE user_id='".$userdata['user_id']."'");
   
   In maincore, we can, thanks to extract(), overwrite vars like $_SERVER['REMOTE_ADDR'] (see 02).
   Then, with mgc_q_gpc = Off, it's easy to do SQL Injection like in subheader.php.
   
   I didn't do any exploit cuz it is very rare to find this, because of php requirements.
   But the subheader.php query seems the most interesting, because it concerns fusion_user table.
   
   
04. Conclusion
   
   This advisory does not present all PHP-Fusion vulnerabilities, but can lead to critical attacks,
   using the admin panel.
   Now you're on your own, have fun ;)
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
 


Рейтинг@Mail.ru