CVE-2009-2884 in World's Tallest Buildings
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in bios.php in PHP Scripts Now World s Tallest Buildings allows remote attackers to inject arbitrary web script or HTML via the rank parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/30/2025
The vulnerability identified as CVE-2009-2884 represents a classic cross-site scripting flaw located within the bios.php script of the "World s Tallest Buildings" PHP application developed by PHP Scripts. This particular weakness manifests in the handling of the rank parameter, which fails to properly sanitize user input before incorporating it into dynamically generated web content. The vulnerability falls under the Common Weakness Enumeration category CWE-79, which specifically addresses improper neutralization of input during web page generation, making it a direct descendant of the well-known web application security issue of XSS. The flaw enables attackers to execute malicious scripts in the context of other users' browsers, potentially compromising the confidentiality and integrity of sensitive information processed through the vulnerable application.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious payload containing HTML or JavaScript code and injects it through the rank parameter in the bios.php script. When the application processes this input without adequate validation or sanitization, the malicious code becomes embedded within the web page's HTML output and executes in the browsers of unsuspecting users who visit the affected page. This type of attack can be particularly dangerous as it allows threat actors to perform actions on behalf of authenticated users, potentially leading to session hijacking, data theft, or the redirection of users to malicious websites. The vulnerability specifically targets the parameter parsing mechanism within the PHP application, where user-supplied data flows directly into the output generation process without proper encoding or filtering.
From an operational perspective, this XSS vulnerability creates significant security implications for organizations relying on the affected PHP Scripts application. The attack surface extends beyond simple script execution to encompass potential data exfiltration, credential theft, and the ability to manipulate the application's user interface to deceive victims into performing unintended actions. Attackers could leverage this vulnerability to steal session cookies, modify the display of content, or redirect users to phishing sites designed to capture login credentials. The impact is particularly concerning given that this vulnerability affects a web application that likely serves public content, meaning that any user visiting the affected page could become a victim. The vulnerability represents a critical gap in the application's input validation and output encoding mechanisms, allowing for persistent or reflected XSS attacks depending on how the application processes the malicious input.
Mitigation strategies for CVE-2009-2884 should focus on implementing robust input validation and output encoding practices throughout the application's codebase. The primary remediation involves sanitizing all user-provided input, particularly the rank parameter in this case, by employing proper encoding techniques such as HTML entity encoding before incorporating data into web page outputs. Organizations should implement Content Security Policy headers to limit the execution of unauthorized scripts and establish a comprehensive input validation framework that rejects or filters out potentially malicious content. Additionally, the application should be updated to a patched version from the vendor that addresses this specific vulnerability, as the original codebase likely contains other similar weaknesses. The remediation process should also include regular security assessments and code reviews to identify and address similar vulnerabilities in other parameters and functions within the application, following established security frameworks such as the OWASP Top Ten and NIST cybersecurity guidelines to ensure comprehensive protection against XSS and other web application threats.