|
|
>> PhpNuke Cross Site Scripting and Path disclosure Vulnerabilities
|
Title : PhpNuke Cross Site Scripting and Path disclosure Vulnerabilities
VUPEN ID : VUPEN/ADV-2005-0165
CVE ID : CVE-2005-0433 - CVE-2005-0434
CWE ID : CWE-
Rated as : Low Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-02-15
|
|
Several vulnerabilities were identified in PhpNuke, which could be exploited by attackers to conduct Cross Site Scripting attacks. The first flaw resides in the "db/db.php", "mainfile.php", "modules/Downloads/index.php", and "modules/Web_Links/index.php" files, which may be exploited to determine the installation path. The second vulnerability resides in the "modules/Downloads/index.php" and "modules/Web_Links/index.php" files, when handling specially crafted "newlinkshowdays" and "newdownloadshowdays" parameters, which may be exploited to conduct Cross Site Scripting attacks.
Credits
Vulnerability reported by Janek Vind
ChangeLog
2005-02-15 : Initial release
2005-02-16 : Updated CVE
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
