|
|
|
>> PhpNuke Cross Site Scripting and Path disclosure Vulnerabilities
|
Several vulnerabilities were identified in PhpNuke, which could be exploited by attackers to conduct Cross Site Scripting attacks. The first flaw resides in the "db/db.php", "mainfile.php", "modules/Downloads/index.php", and "modules/Web_Links/index.php" files, which may be exploited to determine the installation path. The second vulnerability resides in the "modules/Downloads/index.php" and "modules/Web_Links/index.php" files, when handling specially crafted "newlinkshowdays" and "newdownloadshowdays" parameters, which may be exploited to conduct Cross Site Scripting attacks.
Affected Products
PHP-Nuke version 7.6 and prior
Solution
VUPEN Security is not aware of any official supplied patch for this issue.
References
http://www.vupen.com/english/advisories/2005/0165
http://www.waraxe.us/advisory-40.html
Credits
Vulnerability reported by Janek Vind
ChangeLog
2005-02-15 : Initial release
2005-02-16 : Updated CVE
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
