CVE-2004-1724

php_fusion - Unprotected Database Backup Exposure via World-Writable Directory

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-1724. PoCs published by Ahmad Muammar.

AI-analyzed exploit summary This is a vulnerability writeup describing an information disclosure issue in PHP-Fusion where unauthenticated attackers can download database backups containing sensitive user data and password hashes. The issue is due to improper access controls on backup files.

Description

The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Ahmad Muammar · textwebappsphp
https://www.exploit-db.com/exploits/24384

This is a vulnerability writeup describing an information disclosure issue in PHP-Fusion where unauthenticated attackers can download database backups containing sensitive user data and password hashes. The issue is due to improper access controls on backup files.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PHP-Fusion 4.00
No auth needed
Prerequisites: Network access to the target server · Knowledge of the backup file path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/12336
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10974
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=109285292901685&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/17037

Scores

EPSS 0.0693
EPSS Percentile 93.3%

Details

Status published
Products (1)
php_fusion/php_fusion 4.0
Published Aug 18, 2004
Tracked Since Feb 18, 2026