PHPNuke Admin Cookie Variable SQL Injection Vulnerabiliy

It has been reported that the 'admin' Cookie Variable used by PHPNuke during the authentication process is vulnerable to an SQL injection attack.

PHPNuke, in some cases, does not sufficiently sanitize Cookie based data which is used when constructing SQL queries during the authentication process. As a result, attackers may supply malicious cookie tokens to manipulate the structure and logic of SQL queries. This may result in unauthorized operations being performed on the underlying database. This issue may be exploited to cause sensitive information to be disclosed to a remote attacker.


 

Privacy Statement
Copyright 2010, SecurityFocus