CVE-2004-1530

An attacker sends a crafted HTTP GET request to the PHP-Nuke Calendar module, supplying malicious SQL in the `eid` or `cid` parameters [ref_id=1][ref_id=2]. Because these variables are not enclosed in single quotes in the SQL query, the attacker can inject arbitrary SQL commands. The advisory provides a proof-of-concept URL that uses a UNION ALL SELECT payload to extract admin credentials from the `nuke_authors` table [ref_id=1][ref_id=2].

The advisory identifies that SQL queries in the Event Calendar module use the variables `$eid` and `$cid` without surrounding them with single quotes [ref_id=1][ref_id=2]. The vulnerable code resides in the module's PHP files that handle the `eid` and `cid` parameters, though the advisory does not name specific function or file paths beyond the module name.

No official patch was ever released by the vendor; the advisory states that after being contacted in September 2004 the developer stopped responding and the downloadable version remained unpatched [ref_id=1][ref_id=2]. The advisory directs users to community forums for patching help [ref_id=1][ref_id=2]. A proper fix would involve sanitizing or quoting the `$eid` and `$cid` variables before they are used in SQL queries.

1. Ensure the Event Calendar module 2.13 is installed on a PHP-Nuke instance. 2. Send a request to the following URL, replacing `localhost/nuke73` with the target base path: `http://localhost/nuke73/modules.php?name=Calendar&file=index&type=view&eid=-99%20UNION%20ALL%20SELECT%201,1,aid,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper=1` [ref_id=1][ref_id=2]. 3. Observe that the response includes admin usernames and password hashes from the `nuke_authors` table.