PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change

Related Vulnerabilities: CVE-2001-0383  
Publish Date: 02 Apr 2001
Author: Juan Diego

PHP-Nuke is a website creation/maintainence tool written in PHP3.

A PHP-Nuke feature supporting cycling ad banners is subject to interference from a remote user.

A querystring can be submitted to an unpatched server which allows the remote user to specify a new destination URL to be opened in a visitor's browser upon clicking a PHP-nuke site's ad banner.

By changing the click-through destination of a banner ad, an attacker could interfere with the target's ad-based revenue generation.

To change the url of the first banner you should enter in your browser


if we want to change the banner number 1 to redir to


we write

(where is the server running php-nuke)