CVE-2005-4449

Name of the Vulnerable Software and Affected Versions FlatNuke version 2.5.6

Description The issue in FlatNuke allows remote authenticated administrators to modify arbitrary PHP files. This is achieved by setting the file parameter to an arbitrary file and injecting code into the body parameter in the verify.php file. However, if a FlatNuke administrator is normally assumed to have the privilege to modify arbitrary content, this issue does not cross privilege boundaries.

Recommendations For FlatNuke version 2.5.6, consider restricting access to the verify.php file to prevent unauthorized modification of PHP files until a fix is available. As a temporary workaround, restrict the ability to inject code into the body parameter to minimize the risk of exploitation.