| VID |
21272 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP-Nuke installed on the Web server has a SQL injection vulnerability using modules.php script.
PHP-Nuke is an open-source program for creating and managing news-based Web sites created by Francisco Burzi. This SQL injection vulnerability arises due to handling insufficiently user-supplied input passed to the "modules.php" script. By sending the 'cid' variable containing SQL queries to the "modules.php" script, a remote attacker can manipulate the underlying database. As a result of this an attacker could manipulate the SQL query the script performs and potentially extract information such as password hashes from the database.
* References:
http://rst.void.ru/texts/advisory10.htm
http://www.securityfocus.com/archive/1/348163
* Platforms Affected:
PHP-Nuke version 6.9 and earlier
Linux Any version
Unix Any version
Windows Any version |
| Recommendation |
Upgrade to the latest version of PHP-Nuke (7.0 or later), available from the PHP-Nuke Developer's Official Web site, http://www.phpnuke.org .
-- OR --
De-install this package and use something else. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
