Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PHP-Fusion < 6.00.106 submit.php Multiple Parameter HTML Injection

Medium

Synopsis

The remote host is vulnerable to an HTML Injection attack.

Description

The remote host is running a version of PHP-Fusion that is vulnerable to an HTML injection flaw. Specifically, the submit.php script fails to properly sanitize input data via the 'news_body', 'article_description', and 'user_pass' parameters. An attacker exploiting this flaw would typically need to be able to convince a remote user to browse to a malicious URI. A successful attack would yield potentially confidential data (cookies, credentials) as well as potentially execute malicious code within the context of the vulnerable server.

Solution

Upgrade to version 6.00.106 or higher.