ID
VAR-200112-0055
CVE
CVE-2001-0854
TITLE
PHP Nuke Copy and delete file vulnerabilities
Trust: 0.6
DESCRIPTION
PHP-Nuke 5.2 allows remote attackers to copy and delete arbitrary files by calling case.filemanager.php with admin.php as an argument, which sets the $PHP_SELF variable and makes it appear that case.filemanager.php is being called by admin.php instead of the user. PHP Nuke is a web portal creation and management package, implemented in the PHP scripting language. The default installation includes the script 'admin/case/case.filemanager.php', which can be used to copy and delete files on the server file system. While the script contains code used to ensure it is only called by an administrative script responsible for user authentication, the implementation of this is flawed. As a result, any remote user may call the script directly without authenticating, and copy and delete any file on the server, subject to the user permissions under which the script executes. Vulnerabilities exist in PHP-Nuke version 5.2
Trust: 1.26
AFFECTED PRODUCTS
| vendor: | francisco burzi | model: | php-nuke | scope: | eq | version: | 5.2 | Trust: 1.6 |
| vendor: | francisco | model: | burzi php-nuke | scope: | eq | version: | 5.2 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | NVD-CWE-Other | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.6
TYPE
Design Error
Trust: 0.9
EXTERNAL IDS
| db: | BID | id: | 3510 | Trust: 2.0 |
| db: | NVD | id: | CVE-2001-0854 | Trust: 1.7 |
| db: | CNNVD | id: | CNNVD-200112-059 | Trust: 0.7 |
| db: | XF | id: | 7478 | Trust: 0.6 |
| db: | BUGTRAQ | id: | 20011105 COPYING AND DELETING FILES USING PHP-NUKE | Trust: 0.6 |
| db: | VULHUB | id: | VHN-3661 | Trust: 0.1 |
REFERENCES
| url: | http://www.securityfocus.com/bid/3510 | Trust: 1.7 |
| url: | http://www.iss.net/security_center/static/7478.php | Trust: 1.7 |
| url: | http://marc.info/?l=bugtraq&m=100525739116093&w=2 | Trust: 1.0 |
| url: | http://marc.theaimsgroup.com/?l=bugtraq&m=100525739116093&w=2 | Trust: 0.6 |
| url: | http://www.ncc.org.ve/php-nuke.php3?op=english | Trust: 0.3 |
| url: | http://marc.info/?l=bugtraq&m=100525739116093&w=2 | Trust: 0.1 |
CREDITS
Discovered by Magnux Software, and posted to the BugTraq mailing list by masa@magnux.com on November 5, 2001.
Trust: 0.9
SOURCES
| db: | VULHUB | id: | VHN-3661 |
| db: | BID | id: | 3510 |
| db: | CNNVD | id: | CNNVD-200112-059 |
| db: | NVD | id: | CVE-2001-0854 |
LAST UPDATE DATE
2025-04-03T22:25:22.191000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-3661 | date: | 2016-10-18T00:00:00 |
| db: | BID | id: | 3510 | date: | 2001-11-05T00:00:00 |
| db: | CNNVD | id: | CNNVD-200112-059 | date: | 2006-09-22T00:00:00 |
| db: | NVD | id: | CVE-2001-0854 | date: | 2025-04-03T01:03:51.193 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-3661 | date: | 2001-12-06T00:00:00 |
| db: | BID | id: | 3510 | date: | 2001-11-05T00:00:00 |
| db: | CNNVD | id: | CNNVD-200112-059 | date: | 2001-12-06T00:00:00 |
| db: | NVD | id: | CVE-2001-0854 | date: | 2001-12-06T05:00:00 |