SQL injection and cross site scripting vulnerability in PHP Fusion

Specialists from a pentesting course have just revealed the discovery of multiple vulnerabilities in PHP Fusion, an open source content management system (CMS) written in PHP that has a MySQL database to store dynamic content. Exploiting these flaws could lead to scenarios such as SQL injection, cross-site scripting (XSS) attacks, and more.

Below are some details about the vulnerabilities found, with their respective Common Vulnerability Scoring System (CVSS) keys. It should be noted that one of the vulnerabilities has not yet received a CVSS key.

CVE-2020-12461: This vulnerability allows a remote threat actor to execute arbitrary SQL queries against the PHP Fusion database. According to the experts of the pentesting course company, this flaw exists due to inadequate debugging of user input in maincore.php when processing the GET “sort_order” parameter on the members.php member search page.

Malicious hackers could send a specially crafted request to the vulnerable application and execute arbitrary SQL commands within the application database. If successfully exploited, this flaw would allow hackers to read, delete or modify the information in the database and gain full control of the exposed application.

The flaw has a score of 8/10 on the CVSS scale, so it is considered a critical vulnerability.

CVE-2020-12438: This flaw exists due to incorrect debugging of user input in the banners.php script and could be exploited to launch cross-site script attacks (XSS).

Threat actors can trick the victim into clicking on a specially designed link and execute arbitrary HTML and script code in the user’s browser in the context of a vulnerable site. Successful exploitation of this vulnerability would allow a remote attacker to steal sensitive information, change graphic aspects of the website, and perform phishing attacks, among others.

The flaw received a 3/10 score on the CVSS scale, so it is considered a low-gravity vulnerability.

Finally, the specialists of the pentesting course company detected a vulnerability that allows a malicious hacker to deploy XSS attacks. This flaw exists due to insufficient disinfection of user input passed to the scripts “/submit.php” and “/infusions/downloads/downloads.php”. A remote threat actor can permanently inject and execute arbitrary HTML and script code in the user’s browser in the context of a vulnerable website. At the moment, further technical details about this flaw are unknown.

For now, there are no patches to fix these vulnerabilities, so the International Institute of Cyber Security (IICS) recommends that affected deployment administrators stay on top of official CMS platforms to install updates as soon as they become available.