CVE-2008-1556

BolinOS 4.6.1 - Cross-Site Scripting via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-1556. PoCs published by DSecRG.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in BolinOS 4.6.1, including Local File Include (LFI), Cross-Site Scripting (XSS), and system information disclosure. The LFI allows arbitrary file reading via path traversal, while XSS vulnerabilities are present in both GET and POST parameters.

Description

Multiple cross-site scripting (XSS) vulnerabilities in BolinOS 4.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter to (a) system/actionspages/_b/contentFiles/gBImageViewer.php, (2) ForEditor parameter to (b) system/actionspages/_b/contentFiles/gBselectorContents.php, (3) the PATH_INFO to (c) gBLoginPage.php and (d) gBPassword.php in system/actionspages/_b/contentFiles/, (4) formlogin parameter to system/actionspages/_b/contentFiles/gBLoginPage.php, and the (5) bolini_searchengine46Search parameter to (e) help/index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by DSecRG · textwebappsphp

https://www.exploit-db.com/exploits/5309

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in BolinOS 4.6.1, including Local File Include (LFI), Cross-Site Scripting (XSS), and system information disclosure. The LFI allows arbitrary file reading via path traversal, while XSS vulnerabilities are present in both GET and POST parameters.

Classification

Working Poc 90%

Attack Type

Xss | Info Leak | Lfi

Complexity

Trivial

Reliability

Reliable

Target: BolinOS 4.6.1

No auth needed

Prerequisites: Network access to the target application

MITRE ATT&CK