SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   PHP-Fusion Vendors:   Digital Dominion
PHP-Fusion Discloses Database Backup Files to Remote Users
SecurityTracker Alert ID:  1010983
SecurityTracker URL:  http://securitytracker.com/id/1010983
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 18 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in PHP-Fusion. A remote user can download database backup files. A remote user can also determine the installation path.

y3dips reported that a remote user can access the backup files in the 'fusion_admin/db_backups' directory.' The file names are of the following form:

- backup_year-month-day_time.sql
- backup_year-month-day_time.sql.gz

A remote user can guess the name of the file and download it. The file contains usernames and MD5 password hashes. A remote user may be able to exploit this information to gain administrative access on the target system.

It is also reported that a remote user can directly access certain scripts to determine the installation path.

Some demonstration exploit URLs are provided:

http://localhost/fusion/fusion_admin/updateuser.php

http://localhost/fusion/fusion_admin/forums_prune.php

Impact:   A remote user can download database backup files, which contain usernames and hashed passwords. This information may allow a remote user to obtain administrative access on the target system.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/projects/php-fusion/ (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in PHP-FUSION




ECHO_ADV_04$2004

---------------------------------------------------------------------------
                Multiple vulnerabilities in PHP-FUSION
---------------------------------------------------------------------------

Author: y3dips
Date: August, 17th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv04-y3dips-2004.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PHP-Fusion v4.00 (Released June 14th 2004) Written by Nick Jones (Digitanium)

PHP-Fusion is an all-in-one content management system (CMS) written in PHP4.
It uses a mySQL database to store all of it's content such as News, Articles,
Forum Posts, Shoutbox Posts and more

web: http://sourceforge.net/projects/php-fusion/

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1. Script in fusion_admin/updateuser.php files are not protected against direct access

and if we go straight to the path we will see standard php error messages,
revealing full path to script

POC :

http://localhost/fusion/fusion_admin/updateuser.php

Warning: main(fusion_langdiradmin/admin_members.php): failed to open stream:
No such file or directory in /var/www/html/fusion/fusion_admin/updateuser.php on line 14

Fatal error: main(): Failed opening required 'fusion_langdiradmin/admin_members.php'
(include_path='.:/usr/share/pear') in /var/www/html/fusion/fusion_admin/updateuser.php on line 14



A2. Script in fusion_admin/forums_prune.php files are not protected against direct access

and if we go straight to the path we will see standard php error messages,
revealing full path to script

http://localhost/fusion/fusion_admin/forums_prune.php

Fatal error: Call to undefined function:
opentable() in /var/www/html/fusion/fusion_admin/forums_prune.php on line 14

----------------------------------------------


B. Posible to download or look the db backup file to gain Admin Access


see the installation intruction in the "ReadMe First.txt"

1 - CHMOD the following folders to 0777:
	- ---
	- fusion_admin/db_backups
        - ---

It mean that the db_backups is browseable , eventhough in the directories there
is still "index.php" file, but it doesnt mean protect direct access to the db file
in the directories

let see the weak of db form name

example name : - backup_2004-08-17_1845.sql
               - backup_2004-08-17_1845.sql.gz

               let see the form

               - backup_year-month-day_time.sql
               - backup_year-month-day_time.sql.gz


But youll have to "GUEST" the db name, it doesnt matter if you have a little
skill of programing :) ,coz youve allready had the format, then you just need
to point a range  into your own script to donlod it :D

POC :

you can directly point out your URL to this page

http://localhost/fusion/fusion_admin/db_backups/backup_2004-08-17_1845.sql

then " BUMM " i swear to you, you'll see the whole database is it the table,
or the data on your browser , it depends on the administrator way to backup it ,

or

http://localhost/fusion/fusion_admin/db_backups/backup_2004-08-17_1845.sql.gz

then you may to downloaded it :P

then you see the data

----cut--------------

# Table Data for `fusion_users`
#
INSERT INTO `fusion_users` (`user_id`, `user_name`, `user_password`, `user_email`,
`user_hide_email`, `user_location`, `user_icq`, `user_msn`, `user_yahoo`,
`user_web`, `user_theme`, `user_offset`, `user_avatar`, `user_sig`, `user_posts`,
`user_joined`, `user_lastvisit`, `user_mod`, `user_ban`) VALUES (1, 'dudul',
'810f9f3fbad17446a22ed2e516a12c36', 'dudul@dudul.com', 1, '', '', '', '', '',
'Default', '0', '', '', 0, 1092739417, 1092743149, 4, 0);

-----cut-------------

user = dudul
md5 password = 810f9f3fbad17446a22ed2e516a12c36
user_mod = 4 <---- super administrator

---------------------------------------------------------------------------

The fix:
~~~~~~~~

Vendor not contacted yet

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ yudhax, biatch-x, lieur-euy, bima_, yadi_syahid, orion, lutfian
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o & #aikmel @DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
     Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC