PHP-Fusion 'file' Parameter Arbitrary File Deletion Vulnerability

Bugtraq ID:	58265
Class:	Input Validation Error
CVE:	CVE-2013-1805
Remote:	Yes
Local:	No
Published:	Feb 27 2013 12:00AM
Updated:	Feb 27 2013 12:00AM
Credit:	Janek Vind
Vulnerable:	PHP-Fusion PHP-Fusion 7.2.5
Not Vulnerable:	PHP-Fusion PHP-Fusion 7.2.6

PHP-Fusion 'file' Parameter Arbitrary File Deletion Vulnerability

PHP-Fusion is prone to a vulnerability that lets attackers delete arbitrary files on an affected computer in the context of the web server.

Attackers can exploit this issue with directory-traversal strings ('../') to delete arbitrary files; this may aid in launching further attacks.

PHP-Fusion 7.02.05 is vulnerable; other versions may also be affected.

PHP-Fusion 'file' Parameter Arbitrary File Deletion Vulnerability

Attackers can use a browser to exploit this issue.

PHP-Fusion 'file' Parameter Arbitrary File Deletion Vulnerability

References:

• [waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05 (Janek Vind )
  
• PHP-Fusion Homepage (PHP-Fusion)