CVE-2004-1528

An attacker simply sends an HTTP GET request to any of the three vulnerable scripts — `config.php`, `index.php`, or `submit.php` — without the proper PHP-Nuke bootstrap context [ref_id=1]. Because the scripts attempt to include files (e.g., `mainfile.php`, `configset.php`) that are not present or not reachable from the direct URL, PHP emits warnings that disclose the full installation path on the server [ref_id=1]. No authentication, special payload, or complex preconditions are required; the disclosure occurs immediately upon accessing the URL [ref_id=1].

The vulnerability affects three files in the Event Calendar module 2.13 for PHP-Nuke: `config.php`, `index.php`, and `submit.php` [ref_id=1]. These scripts reveal the full server path in PHP error messages when accessed directly without the required include dependencies being present [ref_id=1]. The advisory shows that `config.php` fails to open `configset.php`, `mainfile.php`, and `modules//language/lang-english.php`, leaking the path `D:\apache_wwwroot\nuke73\modules\Calendar\config.php` [ref_id=1].

The advisory states that the vendor was contacted on 6 September 2004 and a detailed list of problems was sent on 8 September 2004, but the vendor never responded and no patched version was ever released [ref_id=1]. No official fix is available. The recommended remediation is to suppress PHP error reporting (e.g., by setting `display_errors = Off` in php.ini) or to manually add checks in each script to prevent direct access and to validate that required include files exist before attempting inclusion [ref_id=1].

1. Identify a target running PHP-Nuke with the Event Calendar module 2.13 installed. 2. Send an HTTP GET request to `http://target/nuke73/modules/Calendar/config.php`. 3. Observe the PHP warning messages in the response, which reveal the full server path (e.g., `D:\apache_wwwroot\nuke73\modules\Calendar\config.php`). 4. Repeat with `index.php` and `submit.php` in the same directory for additional path disclosures [ref_id=1].