PHP-NUKE Bacato

TITLE:
PHP-Nuke Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA11852

VERIFY ADVISORY:
http://secunia.com/advisories/11852/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting, Exposure of system information, Exposure of
sensitive information, DoS

WHERE:
>From remote

SOFTWARE:
PHP-Nuke 7.x
PHP-Nuke 6.x

DESCRIPTION:
Janek Vind has reported multiple vulnerabilities in PHP-Nuke, which
can be exploited by malicious people to conduct cross-site scripting
attacks, disclose path information, and cause a DoS (Denial of
Service).

1) Input passed to various parameters in the "Reviews",
"Encyclopedia", and "Faq" modules isn't properly sanitised before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of a vulnerable site.

2) An input validation error within the "Reviews" module can be
exploited to manipulate SQL queries by passing arbitrary SQL code to
the "order" parameter.

3) Path information can be disclosed in error pages by passing
invalid input to the "preview_review()" function in the "Reviews"
module.

4) An input validation error within the score subsystem of the
"Reviews" module can be exploited to manipulate scores, disclose path
information, and ultimately cause the server to consume excessive
amounts of CPU and memory resources.

The vulnerabilities have been reported in versions 6.x through 7.3.

SOLUTION:
Use another product.

PROVIDED AND/OR DISCOVERED BY:
Janek Vind "waraxe"

ORIGINAL ADVISORY:
http://www.waraxe.us/index.php?modname=sa&id=32

Decisamente meglio farsi un sito da 0.... :eyes:

[Xsescott]

il nuke ha tanti di quelgi exploit che te neppure immagini,meglio farlo da te almeno sei consapevole di quello che fai.:)

io uso php-nuke mi trovo bene ma ti consiglio di fartelo da te, poi fai tu