CVE-2008-1591

Name of the Vulnerable Software and Affected Versions PostNuke versions 0.764 and earlier

Description The issue allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, such as the CLIENT IP HTTP header (HTTP CLIENT IP variable), due to the pnVarPrepForStore function skipping input sanitization when magic quotes runtime is enabled.

Recommendations For PostNuke versions 0.764 and earlier, consider disabling the pnVarPrepForStore function or restricting input associated with server variables until a patch is available. Additionally, disabling magic quotes runtime may help mitigate the risk of SQL injection attacks.