PHP-Nuke asterisk plus path disclosure
| phpnuke-asterisk-plus-path-disclosure (16736) |  Low Risk |
Description:
PHP-Nuke could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the search module. A remote attacker could send a specially-crafted URL request containing a double asterisk (**) or a plus sign (+) to cause the program to return an error message that discloses the installation path of PHP-Nuke.
Consequences:
Obtain Information
Remedy:
No remedy available as of July 9, 2011.
References:
- BugTraq Mailing List, Sun Jul 18 2004 - 08:54:08 CDT: [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3].
- BID-10749: PHPNuke Multiple Input Validation Vulnerabilities
- CVE-2004-0736: The search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) ** or (2) + search patterns, which reveals the path in an error message.
Platforms Affected:
- PHPNuke PHP-Nuke 8.0 Final
Reported:
Jul 18, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net