Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: PHP-Fusion waraxe-2013-SA#097
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 02 Mar 2013 19:31:35 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/02/2013 05:02 PM, Henri Salo wrote:
Hello list,

Can I get CVEs for vulnerabilities fixed in PHP-Fusion version
7.02.06, thanks.

http://www.waraxe.us/advisory-97.html waraxe-2013-SA#097

Ok grouped these into the 5 sets of vulns:


OSVDB ID    title 90714     PHP-Fusion /downloads.php orderby
Parameter SQL Injection 90713     PHP-Fusion /forum/postedit.php
delete_attach_* Parameter SQL Injection 90712     PHP-Fusion
/forum/postnewthread.php poll_opts Parameter SQL Injection 90711
PHP-Fusion /administration/settings_messages.php Multiple Parameter
SQL Injection 90710     PHP-Fusion
/administration/settings_photo.php Multiple Parameter SQL Injection
 90709     PHP-Fusion /administration/bbcodes.php enable Parameter
SQL Injection 90695     PHP-Fusion /administration/news.php
Multiple Parameter SQL
Injection
90693     PHP-Fusion /administration/articles.php article_id
Parameter SQL Injection
90359     PHP-Fusion includes/classes/Authenticate.class.php
Multiple Cookie SQL Injection

Please use CVE-2013-1803 for these issues.

90708     PHP-Fusion /forum/viewthread.php highlight Parameter XSS
 90707     PHP-Fusion /messages.php Multiple Parameter XSS 90706
PHP-Fusion /infusions/shoutbox_panel/shoutbox_admin.php message
Parameter XSS 90705     PHP-Fusion /administration/news.php message
Parameter XSS 90704     PHP-Fusion /administration/panel_editor.php
panel_list Parameter XSS 90703     PHP-Fusion
/administration/phpinfo.php User-Agent HTTP Header XSS 90702
PHP-Fusion /administration/bbcodes.php __BBCODE__ Parameter XSS 
90701     PHP-Fusion /administration/article_cats.php Multiple
Parameter XSS 90700     PHP-Fusion
/administration/download_cats.php Multiple Parameter XSS 90699
PHP-Fusion /administration/news_cats.php Multiple Parameter XSS 
90698     PHP-Fusion /administration/weblink_cats.php Multiple
Parameter XSS 90697     PHP-Fusion /administration/articles.php
Multiple Parameter XSS

Please use CVE-2013-1804 for these issues.

90696     PHP-Fusion /administration/db_backup.php file Parameter
Traversal Arbitrary File Deletion

Please use CVE-2013-1805 for these issues.

90694     PHP-Fusion /maincore.php user_theme Parameter Traversal
Local File Inclusion 90692     PHP-Fusion
/administration/user_fields.php enable Parameter Traversal Local
File Inclusion

Please use CVE-2013-1806 for these issues.

90691     PHP-Fusion /administration/db_backup.php Database Backup
Direct Request Information Disclosure

Please use CVE-2013-1807 for these issues.

-- Henri Salo



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMrYHAAoJEBYNRVNeJnmTCiwP/AnADFWBxSi7WZgdordsi2et
QxJEWJ6b20KCgDTTCNwrIkHgVuEptiLZBAdyb8vHGJH34s/2WOPBrb6cTybXhQMf
hgnjhRGOuk8i29Z8bG1eQxilfiyckmklLNITnfmWdSTI+o0ZwGNpxvfuE5lCCPMM
+T1gVp1GEx9+pbFTj9W3Ud/Rfozq4ESBqhG3gk1D5iG57yPKstpeS6m9HDMzD1ou
YVEH9QeqwUgxQHJ5EVV3ovs2zrHbNpoTOdS2Bqdm2P2xuQCXxwJQFquii9DC0FMb
HFdysguYxTBXBkFrV4YpPXGdpSGYkazsCb6WMjC7886FDOKH+LMZoDK5mY++sLr0
6AUtoc1L+X5KvpIrod2BUS4QMt4P6yJIndxkG+dvWUZWbjHReQjBwHNOtttnXRAd
vOpwxzu8rzxZVErentXXu+04nffcjaxPmnngoQCH6nwf+wwjyOdCqW0hnSopa6zm
RHp7X6kGuuXDUVELRI7seuUcCOnY2eCwlSe+rzMZZjtqlwovCW9Gpi0MhwK9YF1c
VXCVIi6jtJbFwPS9s5JKCaqV0hFyfvUi2gmuMehmAREtBGyMINX93i4lY2Kz8SId
bBQJH/hdpZsiAUZ295fbDuIEO9CvNKWOPm+cI7bujGh14deuBH48rlU62MhHlbbs
US+dX4d0lZe0DkK81o65
=KrvT
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault