CVE-2009-2219

phpCollegeExchange 0.1.5c - Cross-Site Scripting via Session Handle or Home Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2219. PoCs published by CraCkEr.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in phpCollegeExchange 0.1.5c, including Remote File Inclusion (RFI), Local File Inclusion (LFI), and Cross-Site Scripting (XSS). The exploit provides URLs to trigger these vulnerabilities by manipulating the 'home' and '_SESSION[handle]' parameters.

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpCollegeExchange 0.1.5c allow remote attackers to inject arbitrary web script or HTML via the (1) _SESSION[handle] parameter to (a) home.php, (b) books/allbooks.php, or (c) books/home.php; or the (2) home parameter to (d) i_head.php or (e) i_nav.php, or (f) allbooks.php, (g) home.php, or (h) i_nav.php in books/.

Exploits (1)

exploitdb WORKING POC VERIFIED
by CraCkEr · textwebappsphp
https://www.exploit-db.com/exploits/9008

This exploit demonstrates multiple vulnerabilities in phpCollegeExchange 0.1.5c, including Remote File Inclusion (RFI), Local File Inclusion (LFI), and Cross-Site Scripting (XSS). The exploit provides URLs to trigger these vulnerabilities by manipulating the 'home' and '_SESSION[handle]' parameters.

Classification
Working Poc 90%
Attack Type
Rce | Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: phpCollegeExchange 0.1.5c
No auth needed
Prerequisites: Target application must be running phpCollegeExchange 0.1.5c · Register Globals must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9008
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35452

Scores

EPSS 0.0122
EPSS Percentile 64.6%

Details

CWE
CWE-79
Status published
Products (1)
david_degner/phpcollegeexchange 0.1.5c
Published Jun 25, 2009
Tracked Since Feb 18, 2026