XSS vulnerability patch
Posted by Falk on 03/19/2005
Pi3cH has reported a cross-site-scripting vulnerability. PHPFusion does not properly validate user-supplied input passed by the log-in form in 'user_info_panel.php'.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHPFusion software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. It's believed this is related to the new login system I plan to implement officially in v5.02, but have made available as a mod for v5.01. The details are not exact so I have added a security fix to v5.01 to close this vulnerability. I know this is must be annoying for everyone, especially as this is the 3rd security issue inside a month.
You must ensure that you update the file fusion_core.php, you can get the very latest file from the service pack which is available from the downloads area. The sourceforge files have also been updated. If you prefer to update manually please click Read More for details. Thanks to Pi3cH at PersianHacker.NET for the heads up.
Extended News
If you wish to update manually you will need to edit fusion_core.php and make the following changes:
Look for the following line, located after line 150: if (isset($_POST['login'])) {
$result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='".$_POST['user_name']."' and user_password=md5('".$_POST['user_pass']."')");
Replace the above code with these 4 lines:
$user_name = stripinput($_POST['user_name']);
$user_pass = md5($_POST['user_pass']);
if (!preg_match("/^[-0-9A-Z_@\s]+$/i", $user_name)) { header("Location: ".FUSION_BASE."index.php"); exit; }
$result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='$user_name' and user_password='$user_pass'");