#51 Multiple Vulnerabilities with PHPW

PHP code (11)
Mr Goose

I don't want to worry anyone but it seems there are some moderately critical security issues with PHPWeather. According to an alert by Secunia (and others), dated 2008-12-15, PHPWeather 2.x has the following vulnerabilities:-

1) Input via the URL in config/make_config.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

2) Input passed to the "language" parameter in test.php (when "metar" is set to a non-NULL value) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Unfortunately I don't have the PHP skills to fix it - well not yet anyway. Fortunately the vulnerable files are not part of the core and it seems to work OK without them (providing PHPW is set up already). So, as a temporary fix, it seems one could simply delete the offending files, or make them inaccessible to the web server using chmod. Alternatively one can use .htaccess & .htpasswd to allow password-only access to the offending files - assuming you actually want to use them.


  • Mr Goose
    Mr Goose

    • priority: 5 --> 8