PHP-Nuke SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHP-Nuke SQL Injection
From: mod <rottyfig12@xxxxxxxxxxx>
Date: 8 Oct 2003 15:37:38 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Version: PHP-Nuke 6.6
Language: PHP
Web site: phpnuke.org
Status: Vendor has been notified

There's an SQL injection hole in modules.php.

http://phpnuke.org/modules.php?name=Downloads&d_op=viewdownload&cid=59%20or%20cid=2

This is from not filtering 'cid', it should be checked that it is only numeric 
with is_numeric(). This hole could allow viewing of password hashes if the 
database is mysql 4.x.

This may effect other versions.

Follow-Ups:
- Re: PHP-Nuke SQL Injection
  - From: 3APA3A

Prev by Date: PeopleSoft <LONGCHAR >and <VARCHAR> Data Upload
Next by Date: Re: [Full-Disclosure] Re: I have fixes for the Geeklog vulnerabilities
Previous by thread: PeopleSoft <LONGCHAR >and <VARCHAR> Data Upload
Next by thread: Re: PHP-Nuke SQL Injection
Index(es):
- Date
- Thread