CVE-2006-0907
https://notcve.org/view.php?id=CVE-2006-0907
SQL injection vulnerability in PHP-Nuke before 7.8 Patched 3.2 allows remote attackers to execute arbitrary SQL commands via encoded /%2a (/*) sequences in the query string, which bypasses regular expressions that are intended to protect against SQL injection, as demonstrated via the kala parameter. • http://www.securityfocus.com/archive/1/426083/100/0/threaded http://www.waraxe.us/advisory-47.html •
CVE-2006-0805 – PHP-Nuke 7.x - CAPTCHA Bypass
https://notcve.org/view.php?id=CVE-2006-0805
The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypass CAPTCHA controls by fixing the User Agent, performing a valid challenge/response, then replaying that pair in the random_num and gfx_check parameters. • https://www.exploit-db.com/exploits/27249 http://secunia.com/advisories/18936 http://securityreason.com/securityalert/455 http://www.securityfocus.com/archive/1/425394/100/0/threaded http://www.securityfocus.com/bid/16722 http://www.waraxe.us/advisory-45.html •
CVE-2006-0679
https://notcve.org/view.php?id=CVE-2006-0679
SQL injection vulnerability in index.php in the Your_Account module in PHP-Nuke 7.8 and earlier allows remote attackers to execute arbitrary SQL commands via the username variable (Nickname field). • http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0358.html http://secunia.com/advisories/18931 http://securityreason.com/achievement_securityalert/32 http://securityreason.com/securityalert/440 http://www.osvdb.org/23259 http://www.securityfocus.com/archive/1/425173/100/0/threaded http://www.securityfocus.com/bid/16691 http://www.vupen.com/english/advisories/2006/0636 https://exchange.xforce.ibmcloud.com/vulnerabilities/24769 •
CVE-2006-0676 – PHP-Nuke 6.x/7.x - 'header.php?Pagetitle' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-0676
Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attackers to inject arbitrary web script or HTML via the pagetitle parameter. • https://www.exploit-db.com/exploits/27208 http://secunia.com/advisories/18820 http://securityreason.com/securityalert/425 http://www.securityfocus.com/archive/1/424956/100/0/threaded http://www.securityfocus.com/bid/16608 http://www.vupen.com/english/advisories/2006/0542 http://www.waraxe.us/advisory-44.html https://exchange.xforce.ibmcloud.com/vulnerabilities/24650 •
CVE-2005-4715
https://notcve.org/view.php?id=CVE-2005-4715
Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) sid, and (3) pid parameters in a POST request, which bypasses security checks that are performed for GET requests. • http://archives.neohapsis.com/archives/bugtraq/2005-09/0119.html http://archives.neohapsis.com/archives/bugtraq/2005-09/0167.html http://archives.neohapsis.com/archives/bugtraq/2005-09/0176.html http://archives.neohapsis.com/archives/bugtraq/2005-09/0226.html http://phpnuke.org/modules.php?name=News&file=article&sid=7434 http://secunia.com/advisories/16801 http://securityreason.com/securityalert/3 http://www.nukefixes.com/ftopict-1779-.html#7641 http://www.osvdb.org/19351 https: •