PHP-Fusion <= 6.00.206 Forum SQL Injection Vulnerability Network Vulnerability

Summary

Description : A vulnerability is reported in the forum module of PHP-Fusion 6.00.206 and some early released versions. When the forum module is activated, a registered user can execute arbitrary SQL injection commands. The failure exists because the application does not properly sanitize user-supplied input in 'options.php' and 'viewforum.php' before using it in the SQL query, and magic_quotes_gpc is set to off.

Solution

Apply the patch from the php-fusion main site: http://www.php-fusion.co.uk/downloads.php?cat_id=3

References

http://secunia.com/advisories/17664/
http://www.securityfocus.com/bid/15502

Updated on 2015-03-25

Severity

Classification

CVE CVE-2005-3740

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

ATutor < 1.5.1-pl1 Multiple Flaws
Apache Solr XML External Entity(XXE) Vulnerability-02 Jan-14
AdPeeps 'index.php' Multiple Vulnerabilities.
Andy's PHP Knowledgebase 'step5.php' Remote PHP Code Execution Vulnerability
Admin Bot 'news.php' SQL Injection Vulnerability

Take action and discover your vulnerabilities