Date: 22 Dec 2005 21:36:32 -0000
From: [email protected]
To: [email protected]Subject: XSS&Sql injection attack in PHP-Fusion 6.00.3 Released
X-Virus-Scanned: antivirus-gw at tyumen.ru
XSS&Sql injection attack in PHP-Fusion 6.00.3 Released
Web page:http://www.php-fusion.co.uk/
Author:krasza[[email protected]]
1.Description
(...)"PHP-Fusion is a constantly evolving content management system (CMS) powered by PHP 4 and mySQL. It provides an easy to install system with a simple yet powerful set of administrative controls. This means you will have an easy to maintain interactive community website without requiring any knowledge of web programming."
2.XSS
When You are logged in, You can pass the XSS attack.
http://127.0.0.1/[fushion]/members.php?sortby=%3Ciframe%20src=http://securityreason.com%20%3C
After introduce this URL You should see the small frame with this site:
http://securityreason.com
3.Sql injection attack
If magic_quotes_gpc=off and You are logged in, You can pass the sql injection attack. This bug its hard enough to pass and surely we cannot admit as critical. Error appear in every file making possible estimation, because all of modules add includes/ratings_include.php and there is the bug.(...)
if (isset($_POST['post_rating'])) {
if ($_POST['rating'] > 0) {
$result = dbquery("INSERT INTO ".DB_PREFIX."ratings (rating_item_id, rating_type, rating_user, rating_vote, rating_datestamp, rating_ip) VALUES ('$rating_item_id', '$rating_type', '".$userdata['user_id']."', '".$_POST['rating']."', '".time()."', '".USER_IP."')");
}
(...)
Notice that the variable $_POST['post_rating'] is not given of the filtration what causes, that one can her properly change and pass sql injection with the question INSERT. Exploit is accessible an address:
>>>http://securityreason.com/exploitalert/182<;<<
Greets:
-http://www.securityreason.com
-Snak3 from netmore
krasza
[email protected]
http://www.krewniacy.pl
