CVE-2004-1971

Vulnerability

The modules.php script in PHP-Nuke Video Gallery Module version 0.1 Beta 5 fails to validate user-supplied input for the catid and clipid parameters. Passing an invalid value (e.g., a non-numeric string) triggers a PHP error message that reveals the full server filesystem path where the module is installed. This path disclosure occurs because the module uses the input directly in SQL queries without proper sanitization, and error reporting is set to display errors [1].

Exploitation

A remote attacker can send an HTTP GET request to modules.php with the name parameter set to the video gallery module and either an invalid catid or clipid parameter. No authentication is required. The attacker simply needs to craft a request such as modules.php?name=VideoGallery&l_op=viewclip&clipid=invalid or modules.php?name=VideoGallery&l_op=viewclip&catid=invalid. The server then returns an error message containing the full path of the script [1].

Impact

Successful exploitation leads to information disclosure: the attacker learns the server's internal directory structure, such as /home/www/.... While this does not directly compromise data or allow code execution, it provides valuable reconnaissance information that could be used to plan further attacks against the application or the server environment [1].

Mitigation

The vendor released a fix? Not explicitly stated. The advisory [1] recommends that users upgrade to the latest version of the module if available, or disable error message display by modifying PHP configuration to suppress error output. As of the publication date (2004-04-26), no patch is confirmed. The module may be abandoned or end-of-life; users should consider replacing it with a supported alternative [1].