PHP-Fusion Setuser.PHP HTML Injection Vulnerability
BID:12853
Info
PHP-Fusion Setuser.PHP HTML Injection Vulnerability
| Bugtraq ID: | 12853 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-0829 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 19 2005 12:00AM |
| Updated: | Jul 12 2009 10:56AM |
| Credit: | Discovery of this vulnerability is credited to the PersianHacker Team <[email protected]>. |
| Vulnerable: |
PHP-Fusion PHP-Fusion 5.0 1 Service Pack PHP-Fusion PHP-Fusion 5.0 PHP-Fusion PHP-Fusion 4.0 1 PHP-Fusion PHP-Fusion 4.00 |
| Not Vulnerable: | |
Discussion
PHP-Fusion Setuser.PHP HTML Injection Vulnerability
PHP-Fusion is reportedly affected by a HTML injection vulnerability. This issue is due to the application failing to properly sanitize user-supplied input passed to the 'setuser.php' script before using it in dynamically generated content.
This vulnerability is reported to affect PHP-Fusion version 5.01, however the vendor reports that the vulnerability might exist in an alteration that is planned for version 5.02. This alteration was recently released to the PHP-Fusion community as a mod for version 5.01.
This BID will be updated as soon as further information is made available.
PHP-Fusion is reportedly affected by a HTML injection vulnerability. This issue is due to the application failing to properly sanitize user-supplied input passed to the 'setuser.php' script before using it in dynamically generated content.
This vulnerability is reported to affect PHP-Fusion version 5.01, however the vendor reports that the vulnerability might exist in an alteration that is planned for version 5.02. This alteration was recently released to the PHP-Fusion community as a mod for version 5.01.
This BID will be updated as soon as further information is made available.
Exploit / POC
PHP-Fusion Setuser.PHP HTML Injection Vulnerability
The following exploit is available:
The following exploit is available:
Solution / Fix
PHP-Fusion Setuser.PHP HTML Injection Vulnerability
Solution:
A fix for this issue is pending release. Customers are advised to edit 'fusion_core.php':
Look for the following line, located after line 150: if (isset($_POST['login'])) {
$result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='".$_POST['user_name']."' and user_password=md5('".$_POST['user_pass']."')");
Replace the above code with these 4 lines:
$user_name = stripinput($_POST['user_name']);
$user_pass = md5($_POST['user_pass']);
if (!preg_match("/^[-0-9A-Z_@\s]+$/i", $user_name)) { header("Location: ".FUSION_BASE."index.php"); exit; }
$result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='$user_name' and user_password='$user_pass'");
Solution:
A fix for this issue is pending release. Customers are advised to edit 'fusion_core.php':
Look for the following line, located after line 150: if (isset($_POST['login'])) {
$result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='".$_POST['user_name']."' and user_password=md5('".$_POST['user_pass']."')");
Replace the above code with these 4 lines:
$user_name = stripinput($_POST['user_name']);
$user_pass = md5($_POST['user_pass']);
if (!preg_match("/^[-0-9A-Z_@\s]+$/i", $user_name)) { header("Location: ".FUSION_BASE."index.php"); exit; }
$result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='$user_name' and user_password='$user_pass'");
References
PHP-Fusion Setuser.PHP HTML Injection Vulnerability
References:
References:
- PHP-Fusion Homepage (PHP-Fusion)
- PHP-Fusion XSS vulnerability patch (PHP-Fusion)
- Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability ("Sheldon King"
- [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection vulnerability (PersianHacker Team
- Fw: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerabilit ("Sheldon King"
- Fw: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerabilit ("Sheldon King"