| VID |
210017 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP-Fusion program is vulnerable to an SQL injection vulnerability in the 'maincore.php' script. PHP-Fusion is a freely available content management system (CMS) written in PHP which uses MySQL. PHP-Fusion versions prior to 6.01.5 are vulnerable to an SQL injection vulnerability, caused by a global variable overwrite flaw in the 'maincore.php' script. If the 'register_globals' and 'magic_quotes_gpc' options are disabled, this vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://retrogod.altervista.org/phpfusion_6-01-4_xpl.html
http://www.securityfocus.com/archive/1/445480/30/0/threaded
http://www.frsirt.com/english/advisories/2006/3523
http://secunia.com/advisories/21830/
* Platforms Affected:
digitanium, PHP-Fusion versions prior to 6.01.5
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP-Fusion (6.01.5 or later), available from the PHP-Fusion Web site at http://sourceforge.net/projects/php-fusion/ |
| Related URL |
CVE-2006-4673 (CVE) |
| Related URL |
19908,19910 (SecurityFocus) |
| Related URL |
28818 (ISS) |
|
