PHP-Nuke reveals passwords
A vulnerability in the PHP-Nuke content management system allows access to the underlying database. The cause of the problem is a bug in the filtering of the eid parameter during searches in the encyclopaedia module. Using specific parameter values an attacker could infiltrate his own SQL commands and send them to the database, even though PHP-Nuke has had a dedicated anti-SQL injection function since version 7.8. The exploit does, however, require that the magic_quotes_gpc option is deactivated. An exploit which demonstrates the vulnerability is publicly available. It reads the MD5 hash of the administrator password. The availability of precalculated rainbow tables means MD5 hashes can rapidly be cracked.
Version 7.9 and probably previous versions are affected. The error should be fixed in PHP-Nuke 8.0. This version is, however, not free - the developers want US $12 dollars for it. If you do not wish to upgrade, the exploit includes instructions for patching PHP-Nuke to fix the vulnerability.
- SQL Injection vulnerability in encyclopaedia module, exploit and bug description from neosecurityteam