php_fusion_6_00_206_sql_injection.nasl

漏洞扫描源码,可以扫描linux,windows,交换机路由器

#
# Script Written By Ferdy Riphagen 
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#

desc["english"] = "
Synopsis :

The remote web server contains a PHP script that is prone to SQL
injection attacks.

Description :

PHP-Fusion is installed on the remote system.
It is a light-weight open-source content management system (CMS).

A vulnerability is reported in the forum module of PHP-Fusion
6.00.206 and some early released versions.
When the forum module is activated, a registered user
can execute arbitrary SQL injection commands.

The failure exists because the application does not properly
sanitize user-supplied input in 'options.php' and 'viewforum.php'
before using it in the SQL query, and magic_quotes_gpc is set to off.

See also :

http://www.securityfocus.com/bid/15502
http://secunia.com/advisories/17664/

Solution :

Apply the patch from the php-fusion main site:
http://www.php-fusion.co.uk/downloads.php?cat_id=3

Risk factor :

Medium"; 


if (description) {
script_id(200010);
script_version("$Revision: 1.0 $");

script_cve_id("CVE-2005-3740");
script_bugtraq_id(15502);

name["english"] = "PHP-Fusion <= 6.00.206 Forum SQL Injection Vulnerability";
script_name(english:name["english"]);

script_description(english:desc["english"]);

summary["english"] = "Check if PHP-Fusion is vulnerable to SQL Injection attacks";
script_summary(english:summary["english"]);

script_category(ACT_ATTACK);
script_family(english:"CGI abuses");

script_copyright(english:"This script is Copyright (C) 2005 Ferdy Riphagen");

script_dependencie("http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");

exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("global_settings.inc");

port = get_http_port(default:80);
if (!get_port_state(port)) exit(0);
if (!can_host_php(port:port)) exit(0);

if (thorough_tests) dirs = make_list("/php-files", "/forum", "/", "/fusion", cgi_dirs());
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{ 
 # Check if PHP-Fusion exists. 
 res = http_get_cache(item:string(dir, "/news.php"), port:port);
 if (res == NULL) exit(0);

 # Check for the vulnerable versions.
 if (egrep(pattern: ">Powered by.*PHP-Fusion.*v([45]\.0[01])|6\.(00\.(1[01][56790]|20[46]))", string: res))  
 { 
  line = egrep(pattern: ">Powered by.*PHP-Fusion", string: res);

  note = string(
  "***** Nessus has determined that the vulnerable PHP-Fusion version\n",
  "***** is installed on the remote host by checking its version number.\n",
  "***** This might be an false positive.\n");
 
  # Check and build the version.
  version = ereg_replace(pattern:".*>Powered by.* v([0-9.]+).*", string:line, replace:"\1");
  if (version != line)
  {
   # Build the report.
   report = string(
   desc["english"], "\n\n",
   "Plugin output :\n\n",
   "PHP-Fusion is installed on the remote system.\n",
   "The version of the application is:\n",
   "PHP-Fusion v", version, "\n\n",
   "Note :\n\n", note);
  }
  else report =string(
  desc["english"], "\n\n",
  "Note :\n\n", note); 

  security_warning(port:port, data:report);
  exit(0);
 }
}