CVE-2005-4715

Name of the Vulnerable Software and Affected Versions PHP-Nuke version 7.8

Description The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in the modules.php file when magic quotes gpc is disabled. This is achieved by exploiting the name, sid, and pid parameters in a POST request, which bypasses the security checks performed for GET requests.

Recommendations For PHP-Nuke version 7.8, consider disabling the modules.php file or restricting access to it until a patch is available. As a temporary workaround, enable magic quotes gpc to prevent SQL injection attacks via the name, sid, and pid parameters in POST requests. Restrict input for these parameters to minimize the risk of exploitation.