CVE-2009-0711

PHPFootball 1.6 - Exposure of Sensitive Information via dbtable and dbfield Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0711. PoCs published by KinG-LioN.

AI-analyzed exploit summary This exploit targets a hash disclosure vulnerability in PHPFootball <= 1.6 by sending a crafted HTTP GET request to the 'filter.php' script, which leaks password hashes from the 'Accounts' table. The script parses the response to extract the disclosed hashes.

Description

filter.php in PHPFootball 1.6 and earlier allows remote attackers to retrieve password hashes via a request with an Accounts value for the dbtable parameter, in conjunction with a Password value for the dbfield parameter. NOTE: this has been reported as a SQL injection vulnerability by some sources, but the provenance of that information is unknown.

Exploits (1)

exploitdb WORKING POC VERIFIED
by KinG-LioN · perlwebappsphp
https://www.exploit-db.com/exploits/7636

This exploit targets a hash disclosure vulnerability in PHPFootball <= 1.6 by sending a crafted HTTP GET request to the 'filter.php' script, which leaks password hashes from the 'Accounts' table. The script parses the response to extract the disclosed hashes.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PHPFootball <= 1.6
No auth needed
Prerequisites: Network access to the target web server · PHPFootball <= 1.6 installed with default configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/51102
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33367
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7636

Scores

EPSS 0.0121
EPSS Percentile 64.4%

Details

CWE
CWE-200
Status published
Products (2)
vlad_alexa_mancini/phpfootball 1.5
vlad_alexa_mancini/phpfootball 1.6
Published Feb 23, 2009
Tracked Since Feb 18, 2026