CVE-2007-1524

zomplog 3.7.6 - Directory Traversal via settings[skin] Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1524. PoCs published by Bl0od3r.

AI-analyzed exploit summary This exploit targets a local file inclusion (LFI) vulnerability in a web application, specifically leveraging log poisoning to achieve remote code execution (RCE). It attempts to inject PHP code into log files via crafted HTTP requests and then includes these logs to execute arbitrary commands.

Description

Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demonstrated by injecting PHP code into an Apache HTTP Server log file, which can then be included via themes/default/.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Bl0od3r · perlwebappsphp

https://www.exploit-db.com/exploits/3476

View Code ZIP pw:eip

This exploit targets a local file inclusion (LFI) vulnerability in a web application, specifically leveraging log poisoning to achieve remote code execution (RCE). It attempts to inject PHP code into log files via crafted HTTP requests and then includes these logs to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown web application (likely a PHP-based CMS or framework with LFI vulnerability)

No auth needed

Prerequisites: Target must have a vulnerable web application with LFI and writable log files · Attacker must be able to send HTTP requests to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →