Description
The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full web server path via an invalid cid parameter that is non-numeric or null, which leaks the pathname in an error message.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Rynho Zeros Web · textwebappsphp
https://www.exploit-db.com/exploits/22598
References (3)
Core 3
Core References
Exploit mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/321313
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/7589
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/12436
Scores
EPSS
0.0005
EPSS Percentile
15.8%
Details
CWE
CWE-200
Status
published
Products (7)
francisco_burzi/php-nuke
6.0
francisco_burzi/php-nuke
6.5
francisco_burzi/php-nuke
6.5_beta1
francisco_burzi/php-nuke
6.5_final
francisco_burzi/php-nuke
6.5_rc1
francisco_burzi/php-nuke
6.5_rc2
francisco_burzi/php-nuke
6.5_rc3
Published
Dec 31, 2003
Tracked Since
Feb 18, 2026