CVE-2004-1842 in PHP-Nuke
Summary
by MITRE
Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2025
The CVE-2004-1842 vulnerability represents a critical cross-site request forgery flaw affecting Php-Nuke versions 6.x through 7.1.0, demonstrating a fundamental weakness in web application security that has persisted across multiple iterations of this content management system. This vulnerability operates by exploiting the trust relationship between the web application and its users, where authenticated administrative sessions are manipulated through maliciously crafted web content. The specific exploitation vector involves an img tag containing a URL that points directly to the admin.php endpoint, which when processed by a victim's browser triggers unauthorized administrative actions without their knowledge or consent. The vulnerability stems from the absence of proper anti-CSRF token validation mechanisms within the administrative interfaces, allowing attackers to construct malicious payloads that automatically execute administrative commands when viewed by authenticated administrators.
The technical implementation of this flaw occurs because Php-Nuke fails to implement session validation checks that would normally be required for administrative operations. When an administrator visits a page containing the malicious img tag, their browser automatically requests the URL specified in the src attribute of the img tag, executing the administrative function as if the administrator had manually initiated the action. This type of vulnerability directly maps to CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications. The attack exploits the implicit trust that web browsers maintain with authenticated sessions, where the browser automatically includes cookies and authentication tokens in requests to the same domain, making it possible for attackers to leverage these credentials without needing to know the actual authentication details.
The operational impact of CVE-2004-1842 is severe and potentially devastating for organizations using vulnerable Php-Nuke installations, as it allows remote attackers to completely compromise administrative accounts and gain full control over the web application. Once an attacker successfully exploits this vulnerability, they can modify content, create new user accounts, delete database entries, and potentially escalate their privileges to system-level access depending on the underlying server configuration. The attack requires minimal technical expertise to execute, as it only requires crafting a simple HTML payload containing the malicious img tag, making it particularly dangerous in environments where administrators frequently visit untrusted websites or where the web application is hosted in a manner that exposes it to public browsing. This vulnerability aligns with ATT&CK technique T1566.001, which covers the use of malicious web content to execute unauthorized actions, and represents a classic example of how inadequate input validation and authentication checks can lead to complete system compromise.
The mitigation strategies for this vulnerability involve implementing robust anti-CSRF token mechanisms that require unique, unpredictable tokens for each administrative operation, ensuring that requests cannot be forged without knowledge of the current session state. Organizations should also implement proper referer checking, implement SameSite cookie attributes, and ensure that administrative functions require explicit user confirmation before execution. The most effective long-term solution involves upgrading to patched versions of Php-Nuke where the CSRF protection mechanisms have been properly implemented, as the vulnerability fundamentally exposes the application architecture to unauthorized privilege escalation. Security professionals should also consider implementing web application firewalls that can detect and block suspicious administrative request patterns, and conduct regular security audits to identify similar vulnerabilities in other applications that may be susceptible to the same class of attacks.