PHP-Fusion 多个目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195049 漏洞类型 路径遍历
发布时间 2006-05-11 更新时间 2006-05-12
CVE编号 CVE-2006-2331 CNNVD-ID CNNVD-200605-193
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://cxsecurity.com/issue/WLB-2005110053
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-193
|漏洞详情
PHP-Fusion6.00.306存在多个目录遍历漏洞。远程攻击者可以借助(1)infusions/last_seen_users_panel/last_seen_users_panel.php中的settings[locale]参数中的..(点点),以及(2)setup.php中的localeset参数(该参数中包含..),包含并执行任意本地文件。
|漏洞EXP
PHP-Fusion <= 6.00.206 Multiple Vulnerabilities 
===============================================

Software: PHP-Fusion <= 6.00.206
   Severity: SQL Injection(s), Path disclosure
   Risk: High
   Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]>
   Date: Nov. 16 2005
   Vendor: http://sourceforge.net/projects/php-fusion/

Description:

"...a light-weight open-source content management system (CMS) written in PHP. 
	It utilises a mySQL database to store your site content and includes a simple, 
	comprehensive adminstration system. PHP-Fusion includes the most common features 
	you would expect to see in many other CMS packages...."
	[http://php-fusion.co.uk/]

Details:

1) /subheader.php
	  Although PHP-Fusion has a good protection against path discolure, it looks like they've forgetten to
	  include this protection here.

2) /forum/options.php

if (iMEMBER) {
		$data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE forum_id='".$forum_id."'"));

If the Forum is activated and you are logged in you can insert malicious code into the databse 
	  trough the $forum_id variable.

/forum/viewforum.php?forum_id=4&lastvisited='[SQL injection]

3) /forum/viewforum.php

if (empty($lastvisited)) { $lastvisited = time(); }

[...]

$new_posts = dbcount("(post_id)", "posts", "thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'");

To exploit this vulnerability you have to be logged out and a minimum of one thread should be
	posted in this forum.
	Malicious code can be inserted by requesting the following HTTP-request:

http://www.example.com/forum/viewforum.php?forum_id=1&lastvisited='
	   
	   
   Patch:
          Set magic_quotes_gpc to ON.
  
   Credits:

Credit goes to Robin Verton

References:

[1] http://sourceforge.net/projects/php-fusion/
	[2] http://myblog.it-security23.net
|参考资料

来源:www.php-fusion.co.uk
链接:http://www.php-fusion.co.uk/news.php?readmore=321
来源:www.php-fusion.co.uk
链接:http://www.php-fusion.co.uk/news.php
来源:SECUNIA
名称:19992
链接:http://secunia.com/advisories/19992
来源:BID
名称:17898
链接:http://www.securityfocus.com/bid/17898
来源:BUGTRAQ
名称:20060508PHPFusion<=v6.00.306avatarmod_mimearbitraryfileupload&localinclusionvulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/433277/100/0/threaded
来源:VUPEN
名称:ADV-2006-1735
链接:http://www.frsirt.com/english/advisories/2006/1735
来源:XF
名称:phpfusion-lastseenuserspanel-file-include(26389)
链接:http://xforce.iss.net/xforce/xfdb/26389
来源:OSVDB
名称:25539
链接:http://www.osvdb.org/25539
来源:OSVDB
名称:25538
链接:http://www.osvdb.org/25538
来源:SREASON
名称:873
链接:http://securityreason.com/securityalert/873
来源:SREASON
名称:194
链接:http://securityreason.com/securityalert/194