Is this true?

registered · Posted: Fri Jan 09, 2004 12:17 pm

Is this true and is there a fix?

Quote:

(4) MODERATE: PHP-Nuke Multiple Modules SQL Injection
Affected: PHP-Nuke version 7.0 FINAL and possibly prior versions

Description:
The PHP-Nuke "Surveys" module contains an SQL injection vulnerability
in handling data supplied to the "pollID" parameter. Remote attackers
can exploit the flaw to manipulate SQL queries issued against the
backend database, potentially leading to compromise of the PHP-Nuke
application. Further, the vendor's announcement of a fix indicates that
additional SQL injection vulnerabilities have been found in the "Forums"
and "Reviews" modules. Technical details have been posted.

Status: The vendor has corrected the problems in the latest release of
PHP-Nuke version 7.0 FINAL. The new version is available to PHP-Nuke
Club Members only.

Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. Most sites reported that no
action was necessary. A few sites did send out a notice to their
respective support groups as an FYI.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Old news. And, it only worked where MySQL v4.x is being used.

New Member Joined: Jan 05, 2004 Posts: 3

So this is only an issue with MySQL v4.x and below? Above that version? Or strickly v4.x? Could you please clarify this a bit. Old news to you but new to me as I have just started toying with the nuke site builder. I would like to know if my efforts are in vain...

Posted: Fri Jan 09, 2004 7:34 pm

^^Cheesehead friend of mine.

Posted: Fri Jan 09, 2004 9:22 pm

4.x only, to my understanding. Many of us have tried to replicate the 'exploit' and have not been able to.

Posted: Fri Jan 09, 2004 10:22 pm

Gotcha, thx

Cool