17 lines
No EOL
892 B
Text
17 lines
No EOL
892 B
Text
source: https://www.securityfocus.com/bid/3906/info
|
|
|
|
PHPNuke is a website creation/maintenance tool. It is can be back-ended by a number of database products such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc.
|
|
|
|
The sql_layer.php script contains a debugging feature that may be used by attackers to disclose sensitive information about all SQL queries made by PHPNuke. Access to the debugging feature is not restricted to administrators.
|
|
|
|
This may be used by a remote attacker to disclose sensitive information about the database which may contribute to further attacks against the website running PHPNuke and the database.
|
|
|
|
It is not known whether PostNuke is also affected by this issue.
|
|
|
|
The following URLs may be used to access the debugging features:
|
|
|
|
http://www.vulnerable-site.com/index.php?sql_debug=1
|
|
|
|
or
|
|
|
|
http://www.vulnerable-site.com/modules.php?name=Members_List&&sql_debug=1 |