CVE-2002-1886

TightAuction 3.0 - Unauthenticated Sensitive Information Exposure via config.inc

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-1886. PoCs published by frog.

AI-analyzed exploit summary This exploit demonstrates an information disclosure vulnerability in TightAuction by retrieving the config.inc file via a direct web request, which exposes database credentials due to improper file extension handling.

Description

TightAuction 3.0 stores config.inc under the web document root with insufficient access control, which allows remote attackers to obtain the database username and password.

Exploits (1)

exploitdb WORKING POC VERIFIED

by frog · phpwebappsphp

https://www.exploit-db.com/exploits/21893

View Code ZIP pw:eip

This exploit demonstrates an information disclosure vulnerability in TightAuction by retrieving the config.inc file via a direct web request, which exposes database credentials due to improper file extension handling.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: TightAuction (version not specified)

No auth needed

Prerequisites: Target must have TightAuction installed with exposed config.inc file

MITRE ATT&CK

T1592 - Gather Victim Host Information T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/5850

Third Party Advisory vdb-entry x_refsource_xf

http://www.iss.net/security_center/static/10310.php

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2002-10/0016.html

Scores

EPSS 0.0284

EPSS Percentile 84.8%

Details

Status published

Products (1)

tightauction/tightauction 3.0

Published Dec 31, 2002

Tracked Since Feb 18, 2026