PHP-Fusion < 5.0.2 setuser.php HTML Injection Vulnerability
Medium Nessus Network Monitor Plugin ID 2726
SynopsisThe remote host is vulnerable to an HTML injection attack.
DescriptionThe remote host is running a version of PHP-Fusion that is vulnerable to an HTML injection flaw. Specifically, the setuser.php script fails to properly sanitize input data via the 'user_name' and 'user_pass' parameters. An attacker exploiting this flaw would typically need to be able to convince a remote user to browse to a malicious URI. A successful attack would yield potentially confidential data (cookies, credentials) as well as potentially execute malicious code within the context of the vulnerable server.
SolutionUpgrade to version 5.0.2 or higher.