[VIM] Old PHP-Nuke/PostNuke SQL injection issues - clarification

Steven M. Christey coley at mitre.org
Fri Dec 1 22:41:05 EST 2006

CrAzY CrAcKeR reported a couple issues in June - one in PHP-Nuke and
one in PostNuke - without naming either product, so these might have
been missed.

=== PHP-Nuke ===


Ref: Module's Name Content<<--V1.0 SQL injection

Web searches on the "list_pages_categories" eventually  led to the
Content module in PHP-Nuke.  Relevant code, from an older version 6.0,


  function showpage($pid, $page=0) {
    $result = sql_query("SELECT * from ".$prefix."_pages where pid='$pid'", $dbi);
	sql_query("update ".$prefix."_pages set counter=counter+1 where pid='$pid'", $dbi);


   function list_pages_categories($cid) {
    $result = sql_query("SELECT pid, title, subtitle, clanguage from ".$prefix."_pages WHERE active='1' AND cid='$cid' order by date", $dbi);

Note that version 7.9 does not have the problem:

  function showpage($pid, $page=0) {
  $pid = intval($pid);


   function list_pages_categories($cid) {
   $cid = intval($cid);

I didn't check other versions.

=== PostNuke ===

BUGTRAQ:20060617 Module's Name Downloads <<--V 7 SQL injection

I did not access any old versions of PostNuke, but the relevant
function (viewdownloaddetails) is in dl-downloaddetails.php in
PostNuke 0.764, although the $lid variable is checked with
is_numeric().  So, I don't know what versions (if any) are affected,
but have an inquiry into the developer.

- Steve

More information about the VIM mailing list