CVE-2006-4754

PHProg < 1.1 - Cross-Site Scripting via Album Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4754. PoCs published by cdg393.

AI-analyzed exploit summary The provided text describes a vulnerability in PHProg version 1.0, which is prone to cross-site scripting (XSS) and local file inclusion (LFI) due to insufficient sanitization of user-supplied data. The example demonstrates an XSS attack vector via the 'album' parameter.

Description

Cross-site scripting (XSS) vulnerability in index.php in PHProg before 1.1 allows remote attackers to inject arbitrary web script or HTML via the album parameter, which is used in an opendir call. NOTE: the same primary issue can be used for full path disclosure with an invalid parameter that reveals the installation path in an error message.

Exploits (1)

exploitdb WRITEUP VERIFIED

by cdg393 · textwebappsphp

https://www.exploit-db.com/exploits/28510

View Code ZIP pw:eip

The provided text describes a vulnerability in PHProg version 1.0, which is prone to cross-site scripting (XSS) and local file inclusion (LFI) due to insufficient sanitization of user-supplied data. The example demonstrates an XSS attack vector via the 'album' parameter.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PHProg 1.0

No auth needed

Prerequisites: Access to the vulnerable PHProg application

MITRE ATT&CK