PHP-Nuke 7.x - Block-Old_Articles.php SQL Injection

PHP-Nuke 7.x - Block-OldArticles.php SQL Injection source: https://www.securityfocus.com/bid/22037/info PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker t...

PHP-Nuke 7.x - 'Block-Old_Articles.php' SQL Injection

source: https://www.securityfocus.com/bid/22037/info PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data...

PHP-Nuke Book Catalog Module Upload.PHP任意文件上传漏洞

PHP-Nuke Book Catalog Module是一款PHP的图书目录模块。 PHP-Nuke Book Catalog Module不正确过滤用户提交的数据，远程攻击者可以利用漏洞上传任意文件，并以WEB进程执行。 'BookCatalog/upload.php'对用户提交的图象文件缺少正确过滤，可直接提交PHP文件而导致以WEB权限执行。 SAP Basis Community Book Catalog Module 1.0 目前没有解决方案提供,请关注以下链接： http://www.basisconsultant.com/index.php...

PHP-Nuke AutoHTML本地文件包含漏洞

PHP-Nuke是一款基于PHP的站点架构程序。 PHP-Nuke不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB进程权限查看系统文件内容。 问题是'autohtml.php'脚本对用户提交的'name'参数缺少过滤，提交包含多个"../"字符作为参数数据，可绕过WEB ROOT限制，以WEB进程权限查看系统文件内容。 PHP-Nuke AutoHTML Module 2.0 http://www.nukeaddon.com/ http://www.site.com/autohtml.php?op=modload&name=../../../../etc/passwd...

PHP-Nuke Category参数SQL注入漏洞

PHP-Nuke是一个广为流行的网站创建和管理工具，它可以使用很多数据库软件作为后端，比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。PHP-Nuke包含的'index.php'脚本对用户提交的参数缺少充分过滤，远程攻击者可以利用这个漏洞进行SQL注入攻击，可能获得数据库敏感信息及修改数据库内容。当执行搜索时，index.php脚本对用户提交给$category变量的数据缺少充分过滤，提交包含SQL命令的数据作为$category变量参数，可更改原来数据库逻辑，获得数据库敏感信息及修改数据库内容。 Francisco Burzi...

CVE-2006-6255

Direct static code injection vulnerability in util.php in the NukeAI 0.0.3 Beta module for PHP-Nuke, aka Program E is an AIML chatterbot, allows remote attackers to upload and execute arbitrary PHP code via a filename with a .php extension in the filename parameter and code in the moreinfo...

CVE-2006-6255

Direct static code injection vulnerability in util.php in the NukeAI 0.0.3 Beta module for PHP-Nuke, aka Program E is an AIML chatterbot, allows remote attackers to upload and execute arbitrary PHP code via a filename with a .php extension in the filename parameter and code in the moreinfo...

CVE-2006-6234

Multiple SQL injection vulnerabilities in the Content module in PHP-Nuke 6.0, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via 1 the cid parameter in a listpagescategories action or 2 the pid parameter in a showpage action...

CVE-2006-6234

Multiple SQL injection vulnerabilities in the Content module in PHP-Nuke 6.0, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via 1 the cid parameter in a listpagescategories action or 2 the pid parameter in a showpage action...

CVE-2006-6234

Multiple SQL injection vulnerabilities in the Content module in PHP-Nuke 6.0, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via 1 the cid parameter in a listpagescategories action or 2 the pid parameter in a showpage action...

CVE-2006-6234

CVE-2006-6234 affects the Content module in PHP-Nuke 6.0 (and possibly other versions). The vulnerability is a SQL injection allowing remote attackers to execute arbitrary SQL commands via (1) the cid parameter in a list_pages_categories action or (2) the pid parameter in a showpage action. The N...

CVE-2006-6202

PHP remote file inclusion vulnerability in modules/NukeAI/util.php in the NukeAI 0.0.3 Beta module for PHP-Nuke, aka Program E is an AIML chatterbot, allows remote attackers to execute arbitrary PHP code via a URL in the AIbasedir parameter...

CVE-2006-6200

Multiple SQL injection vulnerabilities in the 1 ratearticle and 2 ratecomplete functions in modules/News/index.php in the News module in Francisco Burzi PHP-Nuke 7.9 and earlier, when magicquotesgpc is disabled, allow remote attackers to execute arbitrary SQL commands via the sid parameter...

CVE-2006-6217

PHP remote file inclusion vulnerability in formdisp.php in the Mermaid 1.2 module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the modulename parameter...

CVE-2006-6217

PHP remote file inclusion vulnerability in formdisp.php in the Mermaid 1.2 module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the modulename parameter...

CVE-2006-6202

PHP remote file inclusion vulnerability in modules/NukeAI/util.php in the NukeAI 0.0.3 Beta module for PHP-Nuke, aka Program E is an AIML chatterbot, allows remote attackers to execute arbitrary PHP code via a URL in the AIbasedir parameter...

CVE-2006-6217

The CVE describes a PHP remote file inclusion vulnerability in formdisp.php of the Mermaid 1.2 module for PHP-Nuke, allowing remote attackers to execute arbitrary PHP code via a URL supplied in the module_name parameter. Affected software: Mermaid 1.2 module for PHP-Nuke. Root cause: improper han...

CVE-2006-6200

Multiple SQL injection vulnerabilities in the 1 ratearticle and 2 ratecomplete functions in modules/News/index.php in the News module in Francisco Burzi PHP-Nuke 7.9 and earlier, when magicquotesgpc is disabled, allow remote attackers to execute arbitrary SQL commands via the sid parameter...

CVE-2006-6202

Summary of CVE-2006-6202: PHP remote file inclusion vulnerability in the NukeAI 0.0.3 Beta module for PHP-Nuke. The issue affects the modules/NukeAI/util.php component, where an attacker can supply a URL in the AIbasedir parameter to cause remote code execution by including arbitrary PHP. The pro...

CVE-2006-6200

The CVE-2006-6200 entry describes multiple SQL injection vulnerabilities in the News module of PHP-Nuke (version 7.9 and earlier). Specifically, the rate_article and rate_complete functions in modules/News/index.php are affected when magic_quotes_gpc is disabled, allowing remote attackers to exec...