CVE-2002-2298

thatware 0.3-0.5.3 - Remote Code Execution via config.php root_path Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-2298.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Thatware 0.4.6 by manipulating the 'root_path' parameter in 'config.php' to include a remote shell. The attack allows arbitrary code execution by referencing a malicious PHP script hosted on an external server.

Description

PHP remote file inclusion vulnerability in config.php in Thatware 0.3 through 0.5.3 allows remote attackers to execute arbitrary PHP code via the root_path parameter.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/2166

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Thatware 0.4.6 by manipulating the 'root_path' parameter in 'config.php' to include a remote shell. The attack allows arbitrary code execution by referencing a malicious PHP script hosted on an external server.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Thatware 0.4.6
No auth needed
Prerequisites: Remote shell script hosted on an accessible server · Target server with 'allow_url_fopen' enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/10758
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0000.html
Exploit vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1005733

Scores

EPSS 0.0196
EPSS Percentile 77.7%

Details

CWE
CWE-94
Status published
Products (1)
atthat.com/thatware < 0.5.3
Published Dec 31, 2002
Tracked Since Feb 18, 2026