XSS&Sql injection attack in PHP-Fusion 6.00.3 Released

[krasza () gmail com]

XSS&Sql injection attack in PHP-Fusion 6.00.3 Released
Web page:http://www.php-fusion.co.uk/

Author:krasza[krasza () gmail com]

1.Description
(...)"PHP-Fusion is a constantly evolving content management system (CMS) powered by PHP 4 and mySQL. It provides an 
easy to install system with a simple yet powerful set of administrative controls. This means you will have an easy to 
maintain interactive community website without requiring any knowledge of web programming."

2.XSS
When You are logged in, You can pass the XSS attack.
http://127.0.0.1/[fushion]/members.php?sortby=%3Ciframe%20src=http://securityreason.com%20%3C
After introduce this URL You should see the small frame with this site:
http://securityreason.com

3.Sql injection attack
If magic_quotes_gpc=off and You are logged in, You can pass the sql injection attack. This bug its hard enough to pass 
and surely we cannot admit as critical. Error appear in every file making possible estimation, because all of modules 
add includes/ratings_include.php and there is the bug.(...)
if (isset($_POST['post_rating'])) {
  if ($_POST['rating'] > 0) {
   $result = dbquery("INSERT INTO ".DB_PREFIX."ratings (rating_item_id, rating_type, rating_user, rating_vote, 
rating_datestamp, rating_ip) VALUES ('$rating_item_id', '$rating_type', '".$userdata['user_id']."', 
'".$_POST['rating']."', '".time()."', '".USER_IP."')");
  }
(...)

Notice that the variable $_POST['post_rating'] is not  given of the filtration what causes, that one can her properly 
change and pass sql injection with the question INSERT. Exploit is accessible an address:
> > > http://securityreason.com/exploitalert/182<<<


Greets:
-http://www.securityreason.com
-Snak3 from netmore


krasza
krasza () gmail com
http://www.krewniacy.pl