PHP-Nuke Lang Parameter Local File Include and SQL Injection Vulnerabilities

Bugtraq ID:	22909
Class:	Input Validation Error
CVE:	CVE-2007-1449
Remote:	Yes
Local:	No
Published:	Mar 10 2007 12:00AM
Updated:	May 12 2015 07:29PM
Credit:	Aleksandar is credited with the discovery of this vulnerability.
Vulnerable:	PHP-Nuke PHP-Nuke 8.0 PHP-Nuke PHP-Nuke 7.9 PHP-Nuke PHP-Nuke 7.8 PHP-Nuke PHP-Nuke 7.7 PHP-Nuke PHP-Nuke 7.6 PHP-Nuke PHP-Nuke 7.5 PHP-Nuke PHP-Nuke 7.4 PHP-Nuke PHP-Nuke 7.3 PHP-Nuke PHP-Nuke 7.2 PHP-Nuke PHP-Nuke 7.1 PHP-Nuke PHP-Nuke 7.0 PHP-Nuke PHP-Nuke 8.0.0 Final
Not Vulnerable:

PHP-Nuke Lang Parameter Local File Include and SQL Injection Vulnerabilities

PHP-Nuke is prone to local file-include and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to retrieve arbitary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

These issues affect version 8.0; other versions may also be vulnerable.

PHP-Nuke Lang Parameter Local File Include and SQL Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

PHP-Nuke Lang Parameter Local File Include and SQL Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

PHP-Nuke Lang Parameter Local File Include and SQL Injection Vulnerabilities

References:

• PHP-Nuke Homepage (PHP-Nuke)
  
• PHP-Nuke <= 8.0 Cookie Manipulation (lang) (Aleksandar)