PHP-Nuke Public Message SQL Injection Vulnerability
BID:9615
Info
PHP-Nuke Public Message SQL Injection Vulnerability
| Bugtraq ID: | 9615 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-0266 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 09 2004 12:00AM |
| Updated: | Jul 12 2009 02:06AM |
| Credit: | Discovery of this issue has been credited to Janek Vind <[email protected]>. |
| Vulnerable: |
Francisco Burzi PHP-Nuke 7.1 Francisco Burzi PHP-Nuke 7.0 FINAL Francisco Burzi PHP-Nuke 7.0 Francisco Burzi PHP-Nuke 6.9 Francisco Burzi PHP-Nuke 6.7 Francisco Burzi PHP-Nuke 6.6 Francisco Burzi PHP-Nuke 6.5 RC3 Francisco Burzi PHP-Nuke 6.5 RC2 Francisco Burzi PHP-Nuke 6.5 RC1 Francisco Burzi PHP-Nuke 6.5 FINAL Francisco Burzi PHP-Nuke 6.5 BETA 1 Francisco Burzi PHP-Nuke 6.5 Francisco Burzi PHP-Nuke 6.0 |
| Not Vulnerable: | |
Discussion
PHP-Nuke Public Message SQL Injection Vulnerability
It has been reported that the 'public message' feature of PHP-Nuke is vulnerable to an SQL injection vulnerability. The issue is due to improper sanitization of user-defined parameters supplied to the module. As a result, an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.
It has been reported that the 'public message' feature of PHP-Nuke is vulnerable to an SQL injection vulnerability. The issue is due to improper sanitization of user-defined parameters supplied to the module. As a result, an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.
Exploit / POC
PHP-Nuke Public Message SQL Injection Vulnerability
No exploit is required to leverage this vulnerability. The following proof of concept has been provided:
No exploit is required to leverage this vulnerability. The following proof of concept has been provided:
Solution / Fix
PHP-Nuke Public Message SQL Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PHP-Nuke Public Message SQL Injection Vulnerability
References:
References:
- [waraxe-2004-SA#003] - SQL injection in Php-Nuke 7.1.0 (Janek Vind
)