vendor:
friend.php Module
by:
CMD
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: friend.php Module
Affected Version From: all versions
Affected Version To: all versions
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010
PHP-Nuke ‘friend.php’ Module Remote SQL Injection
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'sid' parameter to the '/friend.php' script. A remote attacker can execute arbitrary SQL commands in the application's database, cause denial of service, access or modify sensitive data, exploit various vulnerabilities in the underlying SQL server, etc.
Mitigation:
Input validation should be used to prevent SQL injection attacks. All input data should be validated and filtered before passing to the SQL statement. It is recommended to use prepared statements, parameterized queries, or stored procedures instead of constructing queries using string concatenation.
