PHP-Nuke Event Calendar Module submit.php Path Disclosure

2004-11-16T08:19:37
ID OSVDB:11881
Type osvdb
Reporter Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-11-16T08:19:37

Description

Vulnerability Description

PHPNuke Event Calendar contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker directly accesses "submit.php" and receives error messages, which will disclose server path information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHPNuke Event Calendar contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker directly accesses "submit.php" and receives error messages, which will disclose server path information resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/nuke73/modules/Calendar/submit.php

References:

Vendor URL: http://phpnuke.holbrookau.net/ Security Tracker: 1012245 Secunia Advisory ID:13213 Related OSVDB ID: 11879 Related OSVDB ID: 11880 Related OSVDB ID: 11884 Related OSVDB ID: 11882 Related OSVDB ID: 11883 Other Advisory URL: http://www.waraxe.us/index.php?modname=sa&id=38 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0204.html CVE-2004-1528