CVE-2005-4781 in Top Music module
Summary
by MITRE
Multiple SQL injection vulnerabilities in SergiDs Top Music module 3.0 PR3 and earlier for PHP-Nuke allow remote attackers to execute arbitrary SQL commands via the (1) idartist, (2) idsong, and (3) idalbum parameters to modules.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/19/2025
The vulnerability identified as CVE-2005-4781 represents a critical security flaw in the SergiDs Top Music module version 3.0 PR3 and earlier versions for PHP-Nuke platforms. This issue manifests as multiple SQL injection vulnerabilities that create pathways for remote attackers to execute arbitrary SQL commands against the affected web applications. The vulnerability specifically targets three distinct parameter inputs within the modules.php file, namely idartist, idsong, and idalbum, which are processed without adequate input validation or sanitization measures.
The technical exploitation of this vulnerability occurs through the manipulation of these three parameters in the HTTP request to modules.php. When these parameters are passed directly into SQL queries without proper sanitization or parameterization, attackers can inject malicious SQL code that gets executed by the database server. This allows for unauthorized access to sensitive data, modification of database contents, and potentially complete system compromise. The vulnerability aligns with CWE-89 which categorizes SQL injection flaws as weaknesses that occur when user input is improperly filtered or escaped before being used in SQL queries, creating opportunities for attackers to manipulate database operations.
The operational impact of CVE-2005-4781 is severe and multifaceted, as it provides attackers with elevated privileges and direct database access capabilities. Remote attackers can leverage this vulnerability to extract confidential information such as user credentials, personal data, and system configurations. The attack surface is particularly concerning given that PHP-Nuke was widely deployed content management systems at the time of discovery, meaning that numerous websites and organizations could be potentially affected. The vulnerability's remote exploitability eliminates the need for local system access, making it particularly dangerous as attackers can target vulnerable systems from anywhere on the internet.
Security mitigations for this vulnerability should focus on immediate input validation and parameterization of all database queries. The recommended approach involves implementing proper input sanitization techniques to filter out or escape potentially malicious characters before processing user inputs. Database query parameterization should be enforced throughout the application code, ensuring that user-supplied data is treated as literal values rather than executable code. Additionally, implementing proper access controls and privilege separation within the database can limit the damage from successful exploitation attempts. Organizations should also consider applying the vendor-provided patches or upgrading to newer versions of the SergiDs Top Music module that address these SQL injection vulnerabilities. This vulnerability demonstrates the critical importance of following secure coding practices and adheres to ATT&CK technique T1190 which involves exploiting vulnerabilities in web applications to gain unauthorized access to systems. The remediation efforts should include comprehensive code reviews to identify similar patterns throughout the application and implementation of automated security testing procedures to prevent future occurrences of such vulnerabilities.