CVE-2004-0128

phpGedView <= 2.65.1 - Remote File Inclusion via PGV_BASE_DIRECTORY Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-0128. PoCs published by Cedric Cochin.

AI-analyzed exploit summary This exploit demonstrates a remote file inclusion vulnerability in PhpGedView by manipulating the 'PGV_BASE_DIRECTORY' parameter to include arbitrary remote files. The vulnerability allows remote code execution due to improper input validation.

Description

PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Cedric Cochin · textwebappsphp

https://www.exploit-db.com/exploits/23617

View Code ZIP pw:eip

This exploit demonstrates a remote file inclusion vulnerability in PhpGedView by manipulating the 'PGV_BASE_DIRECTORY' parameter to include arbitrary remote files. The vulnerability allows remote code execution due to improper input validation.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: PhpGedView versions 2.65.1 and prior

No auth needed

Prerequisites: Network access to the vulnerable PhpGedView instance · Ability to host a malicious file on a remote server

MITRE ATT&CK