VULHUB ™

PHP Nuke is a web portal creation and management package, implemented in the PHP scripting language. The default installation includes the script 'admin/case/case.filemanager.php', which can be used to copy and delete files on the server file system. While the script contains code used to ensure it is only called by an administrative script responsible for user authentication, the implementation of this is flawed. As a result, any remote user may call the script directly without authenticating, and copy and delete any file on the server, subject to the user permissions under which the script executes.

PHP Nuke is a web portal creation and management package, implemented in the PHP scripting language. The default installation includes the script 'admin/case/case.filemanager.php', which can be used to copy and delete files on the server file system. While the script contains code used to ensure it is only called by an administrative script responsible for user authentication, the implementation of this is flawed. As a result, any remote user may call the script directly without authenticating, and copy and delete any file on the server, subject to the user permissions under which the script executes.