Seven new cross-site scripting vulnerabilities have been discovered in PHPNuke 6.0, a popular content management system used to power tens of thousands of web sites. Most of these issues could lead to the compromise of a site user’s cookies, which would give an attacker the ability to log-in as the victim. Two of the scripting holes, in both the Downloads and Web Links modules, are particularly dangerous as they can be exploited to steal the admin’s authentication cookies and gain control of the site. An advisory with details on the vulnerabilities was posted on Bugtraq; no response from the developers yet.

(N-Stalker Security Force)