RETIRED: myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities

myPHPNuke is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to myPHPNuke 1.8.8_8rc2 are vulnerable.

NOTE: myPHPNuke 1.8.8_8rc2 has been reported still vulnerable to certain limited SQL-injection attacks.

UPDATE: This issue was previously discussed in BID 30942. Due to a technical difficulty with that record, the issue has been assigned a new BID.

This BID is being retired as a duplicate of BID 30942 (myPHPNuke 'print.php' SQL Injection and Cross-Site Scripting Vulnerabilities).


Privacy Statement
Copyright 2010, SecurityFocus