The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tk Shop e-Commerce-Suite (aka 123tk Shop) 0.9.1, (3) php My Bit Torrent 1.2.2, (4) Torrent Flux 2.3, (5) e107 0.7.11, (6) Web ZE 0.5.9, (7) Open Media Collectors Database (aka Open Db) 1.5.0b4, and (8) Labgab 1.1 uses a code_background image and the PHP Image String function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings.
The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.
I have been around the nuke development community for some time now, more so lately in nuke evolution.
I have always been apart of the other faction, the ones who fix Burzi's work, patch all flaws, and better the code.
obviously does not care about the safety and quality of their products releasing them knowing that they can easily be hacked.
They should be blacklisted from every scripts installer or security conscious admin What sort of places can you SQL Inject?
Once service is completed, all data are being removed from our server.
Francisco Burzi PHP-Nuke 8.0 allows remote attackers to obtain sensitive information via a direct request to a file, which reveals the installation path in an error message, as demonstrated by themes/Odyssey/and certain other files.
You must go to the other nuke fork sites to obtain the patches and fixes. Burzi has known for some time that people such as Chatserv, Evaders and Raven have been fixing his apps forever and he is too arrogant or ignorant to make the fixes and he does not offer any advice or links to those sites on his.
Multiple PHP remote file inclusion vulnerabilities in modules/My_e Gallery/public/display in the panda BB module for PHP-Nuke allow remote attackers to execute arbitrary PHP code via a URL in the (1) adminpath or (2) basepath parameters. Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 5.6 and 6.5 allow remote authenticated users to execute arbitrary SQL commands via (1) a uid (user) cookie to modules.php; and allow remote attackers to execute arbitrary SQL commands via an aid (admin) cookie to the Web_Links module in a (2) viewlink, (3) Most Popular, or (4) New Links Date action, different vectors than CVE-2003-0279.
A short article on how knowingly releases a vulnerable and easy to hack product and how it puts webmasters in a compromising situation.
I think if someone starts a project like this they must keep their apps up to date and most cms developers do. The problem is now that php-nuke is largely popular and if you go on their site you can see there is 1000 people online at any given time and you also see it is on every scripts installers.
With the makers of those installers eiter knowing it's dangerous but continuing to offer it because it is so popular or they assume the same and most, that since it is the latest version it must be safe.
Sites like ravenphpscripts.com, nuke-evolution.com, and are the ones who have provided the community with a safe and secure nuke versions and various other modifications.