Bugtraq mailing list archives
PHP-Nuke SQL Injection
From: mod <rottyfig12 () hotmail com>
Date: 8 Oct 2003 15:37:38 -0000
Version: PHP-Nuke 6.6 Language: PHP Web site: phpnuke.org Status: Vendor has been notified There's an SQL injection hole in modules.php. http://phpnuke.org/modules.php?name=Downloads&d_op=viewdownload&cid=59%20or%20cid=2 This is from not filtering 'cid', it should be checked that it is only numeric with is_numeric(). This hole could allow viewing of password hashes if the database is mysql 4.x. This may effect other versions.
Current thread:
- PHP-Nuke SQL Injection mod (Oct 08)
- Re: PHP-Nuke SQL Injection 3APA3A (Oct 08)