PHP-Fusion - "...a light-weight open-source content management system (CMS) written in PHP. It utilises a mySQL database to store your site content and includes a simple, comprehensive adminstration system. PHP-Fusion includes the most common features you would expect to see in many other CMS packages...."
An SQL injection and a path disclosure vulnerabilities have been discovered in PHP Fusion CMS.
Credit:
The information has been provided by Robin Verton.
Vulnerable Systems:
* PHP-Fusion versions 6.00.206 and prior
Path disclosure in /subheader.php:
Although PHP-Fusion has a good protection against path disclosure, it looks like they've forgotten to include this protection here.
SQL Injection in /forum/options.php: if (iMEMBER) {
$data = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE forum_id='".$forum_id."'"));
If the Forum is activated and you are logged in you can insert malicious code into the database trough the $forum_id variable.
SQL Injection in /forum/viewforum.php: if (empty($lastvisited)) { $lastvisited = time(); }
[...]
$new_posts = dbcount("(post_id)", "posts", "thread_id='".$data['thread_id']."' and post_datestamp>'$lastvisited'");
To exploit this vulnerability you have to be logged out and a minimum of one thread should be posted in the forum. Malicious code can be inserted by requesting the following HTTP-request:
