PHP-Nuke: Management and Programming
Prev	Chapter 23. Security	Next

23.3. Common PHP-Nuke security vulnerabilities

It's instructive to take the time and have a look at PHP-Nuke's list of vulnerabilities (see Table 23-1). Even a superficial inspection reveals some common vulnerability patterns:

Cross-site scripting (Section 23.3.1)
SQL injection (Section 23.3.2)
Path disclosure (Section 23.3.3)
Cross-site tracing (Section 23.3.4)

In the following we will examine them in more detail.

Table 23-1. List of PHP-Nuke security vulnerabilities

Description	Date
PHP-Nuke Path Disclosure Vulnerability	21.10.2003
Splatt Forum Cross-Site Scripting Vulnerability	19.07.2003
PHP-Nuke SQL injection	19.05.2003
Splatt Forum Cross Site Scripting	02.05.2003
PHP-Nuke Cross-Site Scripting	25.04.2003
PHP-Nuke Cross-Site Scripting	01.04.2003
PHP-Nuke SQL Injection	26.03.2003
PHP-Nuke Referer Cross-Site Scripting	19.03.2003
PHP-Nuke Path Disclosure	18.03.2003
PHP-Nuke Multiple SQL Injection Vulnerabilities	07.03.2003
PHP-Nuke Multiple SQL Injection Vulnerabilities	25.02.2003
PHP Nuke Avatar Scriptcode Injection	04.02.2003
PHP-Nuke mail CRLF injection	23.12.2002
PHP-Nuke execution of arbitrary code	17.12.2002
PHP-Nuke Cross Site Scripting	17.12.2002
PHP-Nuke Cross Site Scripting	25.11.2002
PHP-Nuke SQL injection resets passwords	01.11.2002
PHP-Nuke Cross Site Scripting	10.10.2002
Cross Site Scripting holes in Xoops, PHP-Nuke, NPDS, daCode, Drupal and phpWebSite	24.09.2002

Prev	Home	Next
The impact of bad security record on software popularity	Up	Cross-site scripting with PHP-Nuke

PHP-Nuke HOWTO in module form by Chris Karakas