CVE-2004-2295
Description
PHP-Nuke versions 6.0 through 7.3 are vulnerable to SQL injection in the Reviews module, allowing remote attackers to execute arbitrary SQL commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP-Nuke versions 6.0 through 7.3 are vulnerable to SQL injection in the Reviews module, allowing remote attackers to execute arbitrary SQL commands.
Vulnerability
A SQL injection vulnerability exists in the Reviews module of PHP-Nuke, affecting versions 6.0 through 7.3. The vulnerability stems from insufficient sanitization of user-supplied input, specifically within the order parameter, allowing attackers to manipulate database queries.
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted request to the modules.php script with the name parameter set to Reviews and the order parameter containing malicious SQL syntax. An example URL demonstrating the exploit is provided: http://www.example.com/nuke73/modules.php?name=Reviews&rop=Q&order=[sql injection code here] [1].
Impact
Successful exploitation allows a remote attacker to execute arbitrary SQL commands against the application's database. This could lead to modification of the database's logic and structure, potentially resulting in unauthorized data access, modification, or deletion.
Mitigation
Patches for this vulnerability are not explicitly mentioned in the available references. Users are advised to upgrade to a non-vulnerable version of PHP-Nuke if available, or to apply any security patches provided by the vendor. No specific workaround is detailed in the provided references.
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Failure to properly sanitize user-supplied input in the 'order' parameter of the Reviews module allows SQL injection."
Attack vector
An attacker can exploit this vulnerability by sending a crafted URI to the affected PHP-Nuke application. The URI includes malicious SQL syntax within the 'order' parameter of the Reviews module. This allows the attacker to modify the logic and structure of database queries executed by the application [ref_id=1]. The example URI provided is http://www.example.com/nuke73/modules.php?name=Reviews&rop=Q&order=[sql injection code here] [ref_id=1].
Affected code
The vulnerability exists in the Reviews module of PHP-Nuke versions 6.0 to 7.3. Specifically, the 'order' parameter is susceptible to SQL injection due to insufficient sanitization of user-supplied input [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how to fix this vulnerability. It only states that PHP-Nuke is prone to multiple vulnerabilities due to insufficient sanitization of user-supplied data [ref_id=1]. Users are advised to upgrade to a patched version when available.
Preconditions
- inputThe 'order' parameter in the Reviews module must be vulnerable to SQL injection.
Reproduction
http://www.osvdb.org/7000 http://www.securityfocus.com/archive/1/365865 http://www.securityfocus.com/bid/10524
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.