CERT-In:Indian Computer Emergency Response Team

HOME > VULNERABILITY NOTES

VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-122
PHP-Nuke "modules/News/index.php" SQL Injection Vulnerabilities

Original Issue Date: November 29, 2006

Severity Rating: Medium

System Affected

PHP-Nuke 7.x

Overview

A vulnerability has been reported in PHP-Nuke which could be exploited by remote attackers to conduct SQL injection attacks.

Description

A vulnerability has been reported in PHP-Nuke due to an input validation error while passing "sid" parameter in modules/News/index.php from modules.php. This vulnerability could be exploited by remote attackers to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this requires that "magic_quotes_gpc" is disabled.

Workaround

Set "magic_quotes_gpc" in php.ini to On.

References

Secunia
http://secunia.com/advisories/23128/

Original Advisory
http://www.neosecurityteam.net/index.php?action=advisories&id=30

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer

CERT-In Vulnerability Note CIVN-2006-122 PHP-Nuke "modules/News/index.php" SQL Injection Vulnerabilities

CERT-In Vulnerability Note CIVN-2006-122
PHP-Nuke "modules/News/index.php" SQL Injection Vulnerabilities