CVE-2005-1894
published 2005-06-09CVE-2005-1894: Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an…
PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.46%
87.6th percentile
Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an HTTP request, which causes the code to be injected into referer.php, which can then be accessed by the attacker.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flatnuke | flatnuke | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
mitre_cwe
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: This issue is frequently found in PHP applications that allow users to set configuration variables that are stored within executable PHP files. Technically, this could also be performed in some compiled code (e.g., by byte-patching an executable), although it is highly unlikely.
Common Consequen
CWE
Improper Control of Generation of Code ('Code Injection')
mitre_cwe
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism. In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control. Impact: Gain Privileges or Assume Identity. Injected code can access resources that the attacker is directly prevented from ac
http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256http://secunia.com/advisories/15603http://securitytracker.com/id?1014114http://secwatch.org/advisories/secwatch/20050604_flatnuke.txthttp://www.vupen.com/english/advisories/2005/0697http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256http://secunia.com/advisories/15603http://securitytracker.com/id?1014114http://secwatch.org/advisories/secwatch/20050604_flatnuke.txthttp://www.vupen.com/english/advisories/2005/0697
2005-06-09
Published