CVE-2005-3048

phpmyfaq 1.5.1 - Directory Traversal and Arbitrary File Read via LANGCODE Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-3048. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets a shell injection vulnerability in PhpMyFAQ 1.5.1 by injecting a PHP shell into the User-Agent header and then including a log file to execute arbitrary commands. It requires magic_quotes_gpc to be off.

Description

Directory traversal vulnerability in index.php in PhpMyFaq 1.5.1 allows remote attackers to read arbitrary files or include arbitrary PHP files via a .. (dot dot) in the LANGCODE parameter, which also allows direct code injection via the User Agent field in a request packet, which can be activated by using LANGCODE to reference the user tracking data file.

Exploits (1)

exploitdb WORKING POC VERIFIED
by rgod · phpwebappsphp
https://www.exploit-db.com/exploits/1226

This exploit targets a shell injection vulnerability in PhpMyFAQ 1.5.1 by injecting a PHP shell into the User-Agent header and then including a log file to execute arbitrary commands. It requires magic_quotes_gpc to be off.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PhpMyFAQ 1.5.1 (possibly prior versions)
No auth needed
Prerequisites: magic_quotes_gpc off · PHP with allow_call_time_pass_reference and register_globals enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/19672
Various Sources x_refsource_misc
http://rgod.altervista.org/phpmyfuck151.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=112749230124091&w=2

Scores

EPSS 0.0831
EPSS Percentile 94.2%

Details

Status published
Products (1)
phpmyfaq/phpmyfaq 1.5.1
Published Sep 24, 2005
Tracked Since Feb 18, 2026