| VID |
21486 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP-Fusion, according to the version number, has an information disclosure vulnerability. PHP-Fusion is a freely available content management system (CMS) written in PHP which uses MySQL. PHP-Fusion versions prior to 5.00 could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input in the forum_id and forum_cat parameters in the viewthread.php script. This allows a remote attacker to read the content of arbitrary forums and threads via the thread_id parameter.
* Note: This check solely relied on the version number of the remote PHP-Fusion installed on the web server to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2005-02/0029.html
* Platforms Affected:
digitanium, PHP-Fusion versions prior to 5.00
Any Operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP-Fusion (5.00 or later), available from the PHP-Fusion Web page http://sourceforge.net/projects/php-fusion/ |
| Related URL |
CVE-2005-0345 (CVE) |
| Related URL |
12482 (SecurityFocus) |
| Related URL |
19257 (ISS) |
|
