Vulnerabilities > CVE-2004-1724 - Information Disclosure vulnerability in PHP Fusion PHP Fusion 4.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
php-fusion
nessus
exploit available
NVD
Published: 2004-08-18
Updated: 2017-07-11

Summary

The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password.

Vulnerable Configurations

Part Description Count
Application
Php_Fusion
1

Exploit-Db

descriptionPHP-Fusion Database Backup Information Disclosure Vulnerability. CVE-2004-1724. Webapps exploit for php platform
idEDB-ID:24384
last seen2016-02-02
modified2004-07-18
published2004-07-18
reporterAhmad Muammar
sourcehttps://www.exploit-db.com/download/24384/
titlePHP-Fusion Database Backup Information Disclosure Vulnerability

Nessus

NASL familyCGI abuses
NASL idPHP_FUSION_DB_BACKUP_DISCLOSURE.NASL
descriptionA vulnerability exists in the remote version of PHP-Fusion that may allow an attacker to obtain a dump of the remote database. PHP-Fusion has the ability to create database backups and store them on the web server, in the directory
last seen2020-06-01
modified2020-06-02
plugin id14356
published2004-08-23
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14356
titlePHP-Fusion Database Backup Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(14356);
  script_version("1.20");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2004-1724");
  script_bugtraq_id(10974);

  script_name(english:"PHP-Fusion Database Backup Disclosure");
  script_summary(english:"Checks the version of PHP-Fusion");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote web server hosts a PHP application that is prone to an
information disclosure attack."
  );
  script_set_attribute(
    attribute:"description",
    value:
"A vulnerability exists in the remote version of PHP-Fusion that may
allow an attacker to obtain a dump of the remote database.  PHP-Fusion
has the ability to create database backups and store them on the web
server, in the directory '/fusion_admin/db_backups/'.  Since there is no
access control on that directory, an attacker may guess the name of a
backup database and download it."
  );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/372034");
  script_set_attribute(attribute:"solution", value:
"Use a .htaccess file or the equivalent to control access to files in
the backup directory."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php_fusion:php_fusion");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");

  script_family(english:"CGI abuses");

  script_dependencies("http_version.nasl", "php_fusion_detect.nasl", "no404.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/php_fusion", "www/PHP");

  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("audit.inc");

port = get_http_port(default:80, php:TRUE);
if (get_kb_item("www/no404/"+port)) exit(0);

install = get_install_from_kb(
  appname      : "php_fusion",
  port         : port,
  exit_on_fail : TRUE
);
dir = install["dir"];
ver = install["ver"];

if ( ver =~ "^([0-3][.,]|4[.,]00)" )
{
  w = http_send_recv3(
    method  : "GET",
    item    : dir + "/fusion_admin/db_backups/",
    port    : port,
    exit_on_fail : TRUE
  );
  r = w[2];
  if ( egrep(pattern:"^HTTP/.* 200 .*", string:r) )
  {
    security_warning(port);
  }
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, "PHP-Fusion", build_url(qs:dir, port:port), ver);

References