PHP-Fusion 9.03.00, edit_profile.php Remote Code Execution Vulnerability

Summary

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.

Credit:

The information has been provided by FrederickChan .
The original article can be found at: https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6


Details

Php-fusion  is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition. 

Vulnerable Systems:

  • Php-fusion 4.01
  • Php-fusion 6.01.9
  • Php-fusion 6.01.10
  • Php-fusion 6.01.15
  • Php-fusion 7.00.1
  • Php-fusion 7.02.01
  • Php-fusion 7.02.02
  • Php-fusion 7.02.03
  • Php-fusion 7.02.04
  • Php-fusion 7.02.05
  • Php-fusion 7.02.06
  • Php-fusion 7.02.07

CVE Information:
CVE-2019-12099

Disclosure Timeline:
Publish Date:05/14/2019