CVE-2004-2044

Name of the Vulnerable Software and Affected Versions PHP-Nuke versions 7.3 and earlier Nuke Cops betaNC PHP-Nuke Bundle (affected versions not specified) OSCNukeLite version 3.1 OSC2Nuke versions 7.x

Description The issue arises from the improper use of the eregi() PHP function with $ SERVER['PHP SELF'] to identify the calling script. This allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access. An example of exploitation is demonstrated using an HTTP request that contains the "admin.php" string.

Recommendations For PHP-Nuke version 7.3 and earlier, update the code to properly utilize the eregi() function with $ SERVER['PHP SELF']. For Nuke Cops betaNC PHP-Nuke Bundle, review and modify the codebase to ensure proper identification of the calling script. For OSCNukeLite version 3.1, apply a patch or update that fixes the improper use of the eregi() function. For OSC2Nuke versions 7.x, modify the code to correctly validate the calling script using the eregi() function and $ SERVER['PHP SELF'].