K-OTik Security Advisory : KOTIK/ADV-2005-0165
CVE Reference : CAN-2005-0433 - CAN-2005-0434
Rated as : Low
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-02-15
* Technical Description *
Several vulnerabilities were identified in PhpNuke, which could be exploited by attackers to conduct Cross Site Scripting attacks. The first flaw resides in the "db/db.php", "mainfile.php", "modules/Downloads/index.php", and "modules/Web_Links/index.php" files, which may be exploited to determine the installation path. The second vulnerability resides in the "modules/Downloads/index.php" and "modules/Web_Links/index.php" files, when handling specially crafted "newlinkshowdays" and "newdownloadshowdays" parameters, which may be exploited to conduct Cross Site Scripting attacks.
* Affected Products *
PHP-Nuke version 7.6 and prior
* Solution *
K-OTik Security is not aware of any official supplied patch for this issue.
* References *
http://www.k-otik.com/english/advisories/2005/0165http://www.waraxe.us/advisory-40.html
AlphaOne Technology Support Forums
Author
Logged
