CVE-2009-0710

PHPFootball 1.6 - Cross-Site Scripting via User or DBField Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0710.

AI-analyzed exploit summary This exploit targets a hash disclosure vulnerability in PHPFootball <= 1.6 by sending a crafted HTTP request to the 'filter.php' endpoint, which leaks user password hashes from the 'Accounts' table. The script parses the response to extract the disclosed hashes.

Description

Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the user parameter to login.php or (2) the dbfield parameter to filter.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Exploits (1)

exploitdb WORKING POC

perlwebappsphp

https://www.exploit-db.com/exploits/7636

View Code ZIP pw:eip

This exploit targets a hash disclosure vulnerability in PHPFootball <= 1.6 by sending a crafted HTTP request to the 'filter.php' endpoint, which leaks user password hashes from the 'Accounts' table. The script parses the response to extract the disclosed hashes.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: PHPFootball <= 1.6

No auth needed

Prerequisites: Target must have PHPFootball <= 1.6 installed · The 'filter.php' endpoint must be accessible

MITRE ATT&CK