PHP-Nuke Web_Links Module voteinclude.php Path Disclosure

2004-06-23T00:00:00
ID OSVDB:7223
Type osvdb
Reporter Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-06-23T00:00:00

Description

Vulnerability Description

PHP-Nuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests an invalid parameter of the voteinclude.php file in the Web Links module, which will disclose the physical path of the web server resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHP-Nuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests an invalid parameter of the voteinclude.php file in the Web Links module, which will disclose the physical path of the web server resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/nuke73/modules/Web_Links/voteinclude.php

References:

Vendor URL: http://phpnuke.org Secunia Advisory ID:11920 Related OSVDB ID: 7224 Related OSVDB ID: 7226 Related OSVDB ID: 7229 Related OSVDB ID: 7234 Related OSVDB ID: 7227 Related OSVDB ID: 7230 Related OSVDB ID: 7232 Related OSVDB ID: 7233 Related OSVDB ID: 7235 Related OSVDB ID: 7236 Related OSVDB ID: 7225 Related OSVDB ID: 7228 Related OSVDB ID: 7231 Other Advisory URL: http://www.waraxe.us/?modname=sa&id=033 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0739.html