PT-2003-2285 · Php Nuke · Php-Nuke

Bugsman

Published

2003-12-31

Updated

2018-10-19

CVE-2003-1340

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PHP-Nuke versions 5.6 and 6.5

Description The issue allows remote authenticated users to execute arbitrary SQL commands via a uid (user) cookie to modules.php. Additionally, remote attackers can execute arbitrary SQL commands via an aid (admin) cookie to the Web Links module in a viewlink, MostPopular, or NewLinksDate action.

Recommendations For PHP-Nuke version 5.6, update to a version that addresses the SQL injection vulnerabilities. For PHP-Nuke version 6.5, update to a version that addresses the SQL injection vulnerabilities. As a temporary workaround, consider restricting access to the modules.php and Web Links module to minimize the risk of exploitation. Avoid using the uid and aid cookies in the affected modules until the issue is resolved.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2003-1340

Affected Products

Php-Nuke

PT-2003-2285 · Php Nuke · Php-Nuke

CVE-2003-1340

Weakness Enumeration

Related Identifiers

Affected Products

References · 5