https://www.exploit-db.com/exploits/24034
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1163

phProfession2.5版本的modules.php存在SQL注入漏洞。远程攻击者借助offset参数执行任意SQL代码。

source: http://www.securityfocus.com/bid/10190/info

Multiple vulnerabilities were reported to exist in phProfession, which is a third-party module for PostNuke. Path disclosure, cross-site scripting and SQL injection vulnerabilities were reported. 

Exploitation of these issues may reveal sensitive information, allow for account hijacking, content manipulation and attacks against the underlying database.

These issues were reported to exist in phProfession 2.5. Other versions may also be affected.


http://www.example.com/postnuke0726/modules.php?op=modload&name=phprofession&file=index&offset=foobar

来源:XF
名称:phprofession-offset-sql-injection(15932)
链接:http://xforce.iss.net/xforce/xfdb/15932
来源:www.waraxe.us
链接:http://www.waraxe.us/index.php?modname=sa&id;=21
来源:BID
名称:10190
链接:http://www.securityfocus.com/bid/10190
来源:OSVDB
名称:5625
链接:http://www.osvdb.org/5625
来源:SECUNIA
名称:11465
链接:http://secunia.com/advisories/11465
来源:BUGTRAQ
名称:20040421[waraxe-2004-SA#021-Multiplevulnerabilitiesinphprofession2.5moduleforPostNuke]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108258931430060&w;=2