PT-2009-2968 · Php Nuke · Php-Nuke

Dante90

·

Published

2009-01-27

·

Updated

2018-10-11

·

CVE-2009-0302

CVSS v2.0

4.6

Medium

VectorAV:N/AC:H/Au:S/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions PHP-Nuke versions 8.0 through 8.1.0.3.5b
Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved by exploiting the "url" parameter in the Add operation to "modules.php".
Recommendations For PHP-Nuke versions 8.0 through 8.1.0.3.5b, consider restricting access to the Downloads module until a fix is available. As a temporary workaround, avoid using the url parameter in the Add operation to "modules.php" to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2009-0302

Affected Products

Php-Nuke