Vulnerabilities > CVE-2004-2044

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
francisco-burzi
oscommerce
paul-laudanski
trustix
exploit available

Summary

PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access, as demonstrated using an HTTP request that contains the "admin.php" string.

Exploit-Db

descriptionPHP-Nuke 5.x/6.x/7.x Direct Script Access Security Bypass Vulnerability. CVE-2004-2044. Webapps exploit for php platform
idEDB-ID:24166
last seen2016-02-02
modified2004-06-01
published2004-06-01
reporterSquid
sourcehttps://www.exploit-db.com/download/24166/
titlePHP-Nuke 5.x/6.x/7.x Direct Script Access Security Bypass Vulnerability