23.3. Common PHP-Nuke security vulnerabilities

It's instructive to take the time and have a look at PHP-Nuke's list of vulnerabilities (see Table 23-1). Even a superficial inspection reveals some common vulnerability patterns:

In the following we will examine them in more detail.

Table 23-1. List of PHP-Nuke security vulnerabilities

Description

Date

PHP-Nuke Path Disclosure Vulnerability

21.10.2003

Splatt Forum Cross-Site Scripting Vulnerability

19.07.2003

PHP-Nuke SQL injection

19.05.2003

Splatt Forum Cross Site Scripting

02.05.2003

PHP-Nuke Cross-Site Scripting

25.04.2003

PHP-Nuke Cross-Site Scripting

01.04.2003

PHP-Nuke SQL Injection

26.03.2003

PHP-Nuke Referer Cross-Site Scripting

19.03.2003

PHP-Nuke Path Disclosure

18.03.2003

PHP-Nuke Multiple SQL Injection Vulnerabilities

07.03.2003

PHP-Nuke Multiple SQL Injection Vulnerabilities

25.02.2003

PHP Nuke Avatar Scriptcode Injection

04.02.2003

PHP-Nuke mail CRLF injection

23.12.2002

PHP-Nuke execution of arbitrary code

17.12.2002

PHP-Nuke Cross Site Scripting

17.12.2002

PHP-Nuke Cross Site Scripting

25.11.2002

PHP-Nuke SQL injection resets passwords

01.11.2002

PHP-Nuke Cross Site Scripting

10.10.2002

Cross Site Scripting holes in Xoops, PHP-Nuke, NPDS, daCode, Drupal and phpWebSite

24.09.2002



Help us make a better PHP-Nuke HOWTO!

Want to contribute to this HOWTO? Have a suggestion or a solution to a problem that was not treated here? Post your comments on my PHP-Nuke Forum!

Chris Karakas, Maintainer PHP-Nuke HOWTO