search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Input-validation vulnerability in PHP-Nuke allows arbitrary command execution via request for remote web site

Vulnerability Note VU#221683

Original Release Date: 2002-09-16 | Last Revised: 2002-09-16


PHP-Nuke has an input-validation vulnerability that can lead to execution of arbitrary PHP code hosted on another web server.


PHP-Nuke is a tool designed to ease web site creation and maintenance. PHP-Nuke includes a script named index.php, which uses PHP's include() function to execute a PHP file specified in the CGI variable named "file." If supplied an HTTP URL, PHP's include() function will request the file from web server as shown in the URL. Since the index.php script does not check if the "file" variable contains an HTTP URL before including the file, it can be made to execute arbitrary PHP code from any reachable web server.


A remote attacker can force the server to run arbitrary PHP source code, with the user same privileges as the PHP server process on the victim host.


Apply a patch

Upgrade to version 5.5 or later of PHP-Nuke.

Change PHP configuration

Set allow_url_fopen to off in the PHP server configuration.

Vendor Information


PHP-Nuke Unknown

Updated:  June 06, 2002



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Nopman for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: CVE-2002-0206
Severity Metric: 5.40
Date Public: 2002-01-16
Date First Published: 2002-09-16
Date Last Updated: 2002-09-16 22:10 UTC
Document Revision: 14

Sponsored by CISA.