CVE-2008-5570

PHP Multiple Newsletters <2.7 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-5570. PoCs published by ahmadbady.

AI-analyzed exploit summary The exploit demonstrates a Local File Inclusion (LFI) and Cross-Site Scripting (XSS) vulnerability in PHP_Multiple_Newsletters v2.7. The LFI occurs due to unsanitized user input in the 'lang' parameter, while the XSS is triggered via improper handling of user input in the URL.

Description

Directory traversal vulnerability in index.php in PHP Multiple Newsletters 2.7, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ahmadbady · textwebappsphp

https://www.exploit-db.com/exploits/7400

View Code ZIP pw:eip

The exploit demonstrates a Local File Inclusion (LFI) and Cross-Site Scripting (XSS) vulnerability in PHP_Multiple_Newsletters v2.7. The LFI occurs due to unsanitized user input in the 'lang' parameter, while the XSS is triggered via improper handling of user input in the URL.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PHP_Multiple_Newsletters v2.7

No auth needed

Prerequisites: Access to the target application's URL

MITRE ATT&CK