https://www.exploit-db.com/exploits/24384
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200408-175

PHP-Fusion是一款基于PHP的内容管理系统。PHP-Fusion存在多个安全问题，远程攻击者可以利用这些漏洞下载备份数据库，判断安装路径等。y3dips报告远程用户可以访问’fusion_admin/db_backups’目录中的备份文件，文件名为：-backup_year-month-day_time.sql-backup_year-month-day_time.sql.gz远程用户可以测试文件名下载，文件包含用户名和MD5密码HASH信息。利用这些信息可能以管理员权限访问应用程序。另外通过访问部分脚本可获得系统的安装路径信息。

source: http://www.securityfocus.com/bid/10974/info

It is reported that PHP-Fusion is susceptible to a database backup information disclosure vulnerability. An anonymous remote attacker may be able to download a complete database backup from the server. Authentication would not be required.

A remote attacker may exploit this vulnerability to download the full contents of the application database. The backup includes user information and password hashes. This information could then be used in further attacks against the application. Furthermore, since the database uses the MD5 hash of passwords for authentication, and the authentication cookie directly includes both the username and the MD5 password hash, an attacker would not need to bruteforce the retrieved password hashes.

Version 4.00 was reported vulnerable. Other versions are also likely affected.

Update:
This issue is being retired due to the fact that this is not a vulnerability in the application. Configuring the Web server to restrict access to sensitive files can prevent this problem.

http://www.example.com/fusion/fusion_admin/db_backups/backup_2004-08-17_1845.sql

来源:XF
名称:phpfusion-database-file-access(17037)
链接:http://xforce.iss.net/xforce/xfdb/17037
来源:BID
名称:10974
链接:http://www.securityfocus.com/bid/10974
来源:SECUNIA
名称:12336
链接:http://secunia.com/advisories/12336
来源:BUGTRAQ
名称:20040818MultiplevulnerabilitiesinPHP-FUSION
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109285292901685&w;=2