CVE-2007-1394

Flat Chat 2.0 - Remote Code Execution via Chat Name Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1394. PoCs published by Dj7xpl.

AI-analyzed exploit summary This exploit leverages a remote code execution vulnerability in Flat Chat 2.0 by injecting PHP code into the 'Chat Name' field, allowing arbitrary command execution via the 'cmd' parameter in users.php.

Description

Direct static code injection vulnerability in startsession.php in Flat Chat 2.0 allows remote attackers to execute arbitrary PHP code via the Chat Name field, which is inserted into online.txt and included by users.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dj7xpl · textwebappsphp

https://www.exploit-db.com/exploits/3428

View Code ZIP pw:eip

This exploit leverages a remote code execution vulnerability in Flat Chat 2.0 by injecting PHP code into the 'Chat Name' field, allowing arbitrary command execution via the 'cmd' parameter in users.php.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Flat Chat 2.0

No auth needed

Prerequisites: Access to the Flat Chat application's index.php page

MITRE ATT&CK