Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

v6.00.205 - Multiple exploit fixes

  1. Home
  2. News
  3. Security
  4. v6.00.205 - Multiple exploit fixes
v6.00.205 - Multiple exploit fixes
Files Updated: I've discovered two potential problems in infusions -> shoutbox_panel -> shoutbox_archive.php and the new news.php script. For some reason I neglected to sanitise the $rowstart variable, thats what you get for doing too much work!

I've been notified about 3 exploits, 2 discovered by Yichen Xie and another reported by Secunia. Yichen Xie has discovered an exploit in lostpassword.php which allows a registered user to gain super admin access by minipulating the url. Yichen has also found that users can delete all messages again by minipulating the url.

Finally, Secunia has informed us of an exploit in submitted news/articles due improperly sanitised input. I'm pleased to say that I have addressed all of these issues and have released an immediate update. All v6.00.2 users are strongly advised to update ASAP. The sourceforge package has also been updated.

Existing users can update your system by uploading the contents of the file 6-00-205up zip to your server, then click Upgrade under System Admin. If you prefer to add the fixes manually please click Readmore for instructions.

Download v6.00.205 update (26Kb).

If you prefer to add the fixes manually, here is a complete run-down of what you need to add or change:

1. lostpassword.php

After line 21:

if (isset($email) && isset($account)) {



Add the following line:

if (FUSION_QUERY != "email=".$email."&account=".$account) fallback("index.php");




2. maincore.php

Replace line 398:

]*>#i',"",$text);




With the following:

do {
$thistext = $text;
$text = preg_replace('#]*>#i',"",$text);
} while ($thistext != $text);




3. messages.php

After line 157:

$cnt_messages = count($chk_mark);



Add the following line:

foreach ($chk_mark as $thisnum) { if (!isNum($thisnum)) { fallback("messages.php"); } }




Replace line 162:

$result_where_message_id = "message_id=".$chk_mark[0];




With the following:

$result_where_message_id = "message_id=".(isNum($chk_mark[0]) ? $chk_mark[0] : "0");




After line 227:

} elseif (isset($_POST['btn_delete']) || isset($msg_delete)) { // delete message




Add the following line:

if (!isset($msg_delete) && !isset($chk_mark)) fallback("messages.php");




4. infusions/shoutbox_panel/shoutbox_archive.php AND news.php

Replace the following line:

if (!isset($rowstart)) $rowstart = 0;



With the following:

if (!isset($rowstart) || !isNum($rowstart)) $rowstart = 0;

Falk October 28 2005 19,926
News Categories
Popular News
PHPFusion 9.0 Beta
PHPFusion 9.0 BetaOctober 03 2014 | Downloads
136395
Tesseract, Progress Report
Tesseract, Progress ReportApril 26 2014 | Development & Design
84850
Welcome Back
Welcome BackMarch 24 2006 | PHPFusion
80514
PHPFusion 9.0 ( Andromeda ) Stable
PHPFusion 9.0 ( Andromeda ) StableApril 27 2017 | PHPFusion
69532
Critical update - v6.00.305
Critical update - v6.00.305March 12 2006 | PHPFusion
67127
PHPFusion v7.02.06
PHPFusion v7.02.06January 27 2013 | Downloads
58865