July 28, 2001

Serious PHPnuke vulnerability

Author: JT Smith

Help Net Security has word of a serious issue with PHPnuke: "After testing just a few scripts on phpnuke I have noticed the following:

Some fields in the registration form allow code

and fail to filter out the tags.

e.g Interests: src=http://www.anything.com/defaced.gif>

Also when faking a form and posting from local file (user.php.html) after editing a few
fields like the avatar picture for example, it is possible to escape surtain dirs with the
../../../../dir/pic.gif in the options field."


  • Linux
Click Here!