CVE-2002-1757

phprojekt 2.0-3.1 - Authentication Bypass via PATH_INFO Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-1757. PoCs published by Ulf Harnhammar.

AI-analyzed exploit summary The exploit describes an authentication bypass vulnerability in PHProjekt by manipulating the PATH_INFO variable via a crafted URL. This allows unauthenticated access to restricted scripts by appending extraneous paths.

Description

PHProjekt 2.0 through 3.1 relies on the $PHP_SELF variable for authentication, which allows remote attackers to bypass authentication for scripts via a request to a .php file with "sms" in the URL, which is included in the PATH_INFO portion of the $PHP_SELF variable, as demonstrated using "mail_send.php/sms".

Exploits (1)

exploitdb WRITEUP VERIFIED
by Ulf Harnhammar · textwebappsphp
https://www.exploit-db.com/exploits/21421

The exploit describes an authentication bypass vulnerability in PHProjekt by manipulating the PATH_INFO variable via a crafted URL. This allows unauthenticated access to restricted scripts by appending extraneous paths.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: PHProjekt (version not specified)
No auth needed
Prerequisites: Access to the target PHProjekt instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4596
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/8943
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://online.securityfocus.com/archive/1/269407

Scores

EPSS 0.0314
EPSS Percentile 86.2%

Details

Status published
Products (11)
phprojekt/phprojekt 2.0
phprojekt/phprojekt 2.0.1
phprojekt/phprojekt 2.1
phprojekt/phprojekt 2.1a
phprojekt/phprojekt 2.2
phprojekt/phprojekt 2.3
phprojekt/phprojekt 2.4
phprojekt/phprojekt 2.4a
phprojekt/phprojekt 3.0
phprojekt/phprojekt 3.1
... and 1 more
Published Dec 31, 2002
Tracked Since Feb 18, 2026