Multiple vulnerabilities in PHP-Fusion
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2013-1803 CVE-2013-1806 CVE-2013-1807 CVE-2013-1804 |
| CWE-ID | CWE-89 CWE-22 CWE-264 CWE-79 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
PHP-Fusion Web applications / CMS |
| Vendor | PHP-Fusion |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) SQL injection
EUVDB-ID: #VU41723
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2013-1803
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the (1) orderby parameter to downloads.php; or remote authenticated users with certain permissions to execute arbitrary SQL commands via a (2) parameter name starting with "delete_attach_" in an edit action to forum/postedit.php; the (3) poll_opts[] parameter in a newthread action to forum/postnewthread.php; the (4) pm_email_notify, (5) pm_save_sent, (6) pm_inbox, (7) pm_sentbox, or (8) pm_savebox parameter to administration/settings_messages.php; the (9) thumb_compression, (10) photo_watermark_text_color1, (11) photo_watermark_text_color2, or (12) photo_watermark_text_color3 parameter to administration/settings_photo.php; the (13) enable parameter to administration/bbcodes.php; the (14) news_image, (15) news_image_t1, or (16) news_image_t2 parameter to administration/news.php; the (17) news_id parameter in an edit action to administration/news.php; or the (18) article_id parameter in an edit action to administration/articles.php. NOTE: the user ID cookie issue in Authenticate.class.php is already covered by CVE-2013-7375. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPHP-Fusion: 7.02.01 - 7.02.04
CPE2.3- cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*
https://osvdb.org/90693
https://osvdb.org/90695
https://osvdb.org/90709
https://osvdb.org/90710
https://osvdb.org/90711
https://osvdb.org/90712
https://osvdb.org/90713
https://osvdb.org/show/osvdb/90714
https://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html
https://seclists.org/fulldisclosure/2013/Feb/154
https://secunia.com/advisories/52403
https://www.openwall.com/lists/oss-security/2013/03/03/1
https://www.openwall.com/lists/oss-security/2013/03/03/2
https://www.php-fusion.co.uk/news.php?readmore=569
https://www.waraxe.us/advisory-97.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Path traversal
EUVDB-ID: #VU41734
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2013-1806
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) user_theme parameter to maincore.php; or remote authenticated administrators to delete arbitrary files via the (2) enable parameter to administration/user_fields.php or (3) file parameter to administration/db_backup.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP-Fusion: 7.02.01 - 7.02.04
CPE2.3- cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*
https://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html
https://seclists.org/fulldisclosure/2013/Feb/154
https://www.openwall.com/lists/oss-security/2013/03/03/1
https://www.openwall.com/lists/oss-security/2013/03/03/2
https://www.osvdb.org/90692
https://www.osvdb.org/90694
https://www.osvdb.org/90696
https://www.php-fusion.co.uk/news.php?readmore=569
https://www.waraxe.us/advisory-97.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU41735
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2013-1807
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sensitive information via a direct request to the backup file in administration/db_backups/.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP-Fusion: 7.02.01 - 7.02.04
CPE2.3- cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*
https://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html
https://seclists.org/fulldisclosure/2013/Feb/154
https://www.openwall.com/lists/oss-security/2013/03/03/1
https://www.openwall.com/lists/oss-security/2013/03/03/2
https://www.osvdb.org/90691
https://www.php-fusion.co.uk/news.php?readmore=569
https://www.waraxe.us/advisory-97.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Cross-site scripting
EUVDB-ID: #VU41739
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2013-1804
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionVulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in PHP-Fusion before 7.02.06 when processing the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list parameter to administration/panel_editor.php; (7) HTTP User Agent string to administration/phpinfo.php; (8) . A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPHP-Fusion: 7.02.01 - 7.02.04
CPE2.3- cpe:2.3:a:php-fusion:php-fusion:7.02.01:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.02:*:*:*:*:*:*:*
- cpe:2.3:a:php-fusion:php-fusion:7.02.03:*:*:*:*:*:*:*
https://osvdb.org/90707
https://osvdb.org/90708
https://packetstormsecurity.com/files/120598/PHP-Fusion-7.02.05-XSS-LFI-SQL-Injection.html
https://seclists.org/fulldisclosure/2013/Feb/154
https://secunia.com/advisories/52403
https://www.openwall.com/lists/oss-security/2013/03/03/1
https://www.openwall.com/lists/oss-security/2013/03/03/2
https://www.php-fusion.co.uk/news.php?readmore=569
https://www.waraxe.us/advisory-97.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
