XSS&Sql injection attack in PHP-Fusion 6.00.3 Released
Web page:http://www.php-fusion.co.uk/
Author:krasza[krasza@gmail.com]
1.Description
(...)"PHP-Fusion is a constantly evolving content management system (CMS)
powered by PHP 4 and mySQL. It provides an easy to install system with a simple
yet powerful set of administrative controls. This means you will have an easy
to maintain interactive community website without requiring any knowledge of
web programming."
2.XSS
When You are logged in, You can pass the XSS attack.
http://127.0.0.1/[fushion]/members.php?sortby=%3Ciframe%20src=http://securityreason.com%20%3C
After introduce this URL You should see the small frame with this site:
http://securityreason.com
3.Sql injection attack
If magic_quotes_gpc=off and You are logged in, You can pass the sql injection
attack. This bug its hard enough to pass and surely we cannot admit as
critical. Error appear in every file making possible estimation, because all of
modules add includes/ratings_include.php and there is the bug.(...)
if (isset($_POST['post_rating'])) {
if ($_POST['rating'] > 0) {
$result = dbquery("INSERT INTO ".DB_PREFIX."ratings (rating_item_id,
rating_type, rating_user, rating_vote, rating_datestamp, rating_ip) VALUES
('$rating_item_id', '$rating_type', '".$userdata['user_id']."',
'".$_POST['rating']."', '".time()."', '".USER_IP."')");
}
(...)
Notice that the variable $_POST['post_rating'] is not given of the filtration
what causes, that one can her properly change and pass sql injection with the
question INSERT. Exploit is accessible an address:
http://securityreason.com/exploitalert/182<<<
Greets:
-http://www.securityreason.com
-Snak3 from netmore
krasza
krasza@gmail.com
http://www.krewniacy.pl
