PHP-fusion security vulnerabilities 2020

In today’s exploit of the day we cover recent security vulnerabilities released for PHP-fusion.

PHP-fusion is an opensource Wordpress and Joomla content management system alternative dating back as far as 2003.
PHP-fusion has so far been able to score 5 major vulnerabilities with the CVE’s of:

CVE-2020-12718

A stored cross-site scripting vulnerability was found in the comments
function, the bug was quickly patched.

CVE-2020-12708

Both PHP-fusion’s article and download function are allowing malicious
third parties to inject malicious links and cause Cross Site Scripting Vulnerabilities.

CVE-2020-12706

PHP-fusion’s Q&A and shoutbox areas are both vulnerable to Cross-site scripting vulnerabilities.

CVE-2020-12461

SecGus was able to find out that the members.php
search function does not properly validate the input(being the
order the data is displayed in, resulting in manipulating the order by sql query)
before it is passed into the mysql backend database.
This is allowing third parties to execute malicious sql commands resulting in a SQL injection.

CVE-2020-12438

PHP-fusion has implemented a protection against cross-site scripting attacks
in the banner.php part of its codebase by removing html script tags, However
html allows img tags to execute javascript.
This was quickly found and reported in issue #2307.

Another interesting vulnerability that has not made it to a CVE yet
is a php object injection released 2020-05-26.
By injecting sql commands and submitting them as comments
using the “Feedback/Comments.ajax.php” function a
malicious third party is allowed to execute and trigger

Link to writeup:
https://therealcoiffeur.github.io/c111

Proof of concept exploit:
https://github.com/therealcoiffeur/therealcoiffeur.github.io/blob/master/tools/PHP-Fusion/poi_to_sqli_9.03.50.py

Find hosts

We did a quick google dork for php-fusion and got 97 000 results

Find vulnerabilities in your codebase

A chunk of these vulnerabilities was made possible due to a lack of input validation.
If you audit source code we recommend that you check all inputs that are being passed
in to the backend database, if you are passing
raw user input into a sql query then your application is
most likely vulnerable to sql injection attacks.

A great cure for this is to use MySQL’s escape function to escape user input as well as writing
a proper input validation function.

External links:

https://en.wikipedia.org/wiki/PHP-Fusion
https://vulns.firosolutions.com/cve/CVE-2020-12718/
https://vulns.firosolutions.com/cve/CVE-2020-12708/
https://vulns.firosolutions.com/cve/CVE-2020-12706/
https://vulns.firosolutions.com/cve/CVE-2020-12461/
https://vulns.firosolutions.com/cve/CVE-2020-12438/
https://packetstormsecurity.com/files/158077/PHP-Fusion-9.03.60-PHP-Object-Injection-SQL-Injection.html
https://www.php-fusion.co.uk/home.php