CVE-2002-1954

PHP 4.2.3 phpinfo - Cross-Site Scripting

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-1954. PoCs published by Matthew Murphy.

AI-analyzed exploit summary This is a writeup describing a cross-site scripting (XSS) vulnerability in PHP scripts that use the phpinfo() function. The vulnerability allows remote attackers to inject hostile HTML or script code via a crafted URL parameter.

Description

Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the query string argument, as demonstrated using soinfo.php.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Matthew Murphy · textwebappsphp
https://www.exploit-db.com/exploits/22725

This is a writeup describing a cross-site scripting (XSS) vulnerability in PHP scripts that use the phpinfo() function. The vulnerability allows remote attackers to inject hostile HTML or script code via a crafted URL parameter.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PHP scripts using phpinfo()
No auth needed
Prerequisites: A PHP script that includes the phpinfo() function and exposes it via a web interface
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0027.html
Third Party Advisory mailing-list x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0021.html
Third Party Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/10355.php
Various Sources x_refsource_misc
http://www.techie.hopto.org/vulns/2002-36.txt

Scores

EPSS 0.1185
EPSS Percentile 95.6%

Details

Status published
Products (1)
php/php 4.2.3
Published Dec 31, 2002
Tracked Since Feb 18, 2026