Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpwcms.txt

🗓️ 20 Nov 2005 00:00:00Reported by Stefan LochbihlerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Vulnerabilities in PHPWCMS 1.2.5-DE

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Author: Stefan Lochbihler  
Date: 14. November 2005  
Software: PHPWCMS  
Version: 1.2.5-DEV  
URL: http://www.phpwcms.de  
Attack: Directory traversal vulnerability,CSS  
  
  
  
about:  
phpwcms is an Open Source web content management system.  
It is optimized for fast and easy setup and works on any  
standard webserver platform that supports PHP/MySQL and was  
tested successfully on Windows 2000/XP, MacOSX and LINUX.  
phpwcms is perfect for professional, public and private users.  
It is very easy to learn and gives you the flexibility to  
separate layout and content. Lots of powerful but simple  
implemented features assists publishers and web developers too.  
  
  
info:  
During an audit of the phpwcms project i find out that  
it is vulnerable to the following attacks.  
  
[1]  
  
First the login.php script is vulnerable to a directory traversal  
attack.  
  
Through the following packet it is possible to read  
sensitive data.  
www.target.com/phpwcms/login.php?  
POST:form_lang=../../../../../../../../etc/passwd%00  
  
[2]  
  
The same bug exist at the random_image.php script located at /img.  
Do the condition of the code its not possible to read a well  
aimed file.  
  
Through the following packet it is possible to read  
sensitive data.  
www.target.com/phpwcms/img/random_image.php?  
GET:imgdir=../../../etc/  
  
[3]  
  
The act_newsletter.php located at /include/inc_act is vulnerable to  
a cross site scripting attack. Through this its possible to read  
sensitive cookie informations.  
  
Through the following packet it is possible to read  
sensitive data.  
www.target.com/phpwcms/include/inc_act/act_newsletter.php?i=  
V:[email protected]:<script>alert(document.cookie)</script>)   
  
//base64encode  
  
  
[4]  
  
If register_globals is set to on the same script is vulernable  
to a cross site scripting attack.  
  
Through the following packet it is possible to read  
sensitive data.  
www.target.com/phpwcms/include/inc_act/act_newsletter.php?  
text=<script>alert(document.cookie)</script>  
  
  
Vendor Status: The vendor is informed !  
  
  
Discovered by Stefan Lochbihler  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.1 (GNU/Linux)  
  
iD8DBQFDeRZmaZIyFDbShWQRAuQCAKCIkq8RVVe6XCRsZUEGVK9l/1lWNwCePP8/  
IUTMQ2QzFYdc6yP+rPpYxLI=  
=ySQs  
-----END PGP SIGNATURE-----  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4
phpwcmsdirectory traversalcsscross site scriptingphp/mysqlwindows 2000/xpmacosxlinuxvendor status
22