The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.
| CVE ID | Name | Status | References |
|---|---|---|---|
| CVE-2007-1520 | The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks. |
Assigned (20070320) | BUGTRAQ:20070309 Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462308/100/100/threaded | BUGTRAQ:20070311 Re: Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462575/100/0/threaded | BUGTRAQ:20070313 Re: Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462727/100/0/threaded | MISC:http://phpfi.com/214668 | MISC:http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ | MISC:http://www.wisec.it/ush/phpnukexss.html | OSVDB:34501 | URL:http://osvdb.org/34501 | SECUNIA:24629 | URL:http://secunia.com/advisories/24629 |
Page created: