CVE-2007-2304

qdblog < 0.4 - Directory Traversal via Theme Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-2304. PoCs published by GoLd_M, Omni.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Quick and Dirty Blog 0.4 via the 'theme' parameter in categories.php. The PoC uses directory traversal to read /etc/passwd by injecting a null byte to bypass file extension checks.

Description

Multiple directory traversal vulnerabilities in Quick and Dirty Blog (QDBlog) 0.4, and possibly earlier, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme parameter to categories.php and other unspecified files.

Exploits (2)

exploitdb WORKING POC VERIFIED

by GoLd_M · textwebappsphp

https://www.exploit-db.com/exploits/4603

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Quick and Dirty Blog 0.4 via the 'theme' parameter in categories.php. The PoC uses directory traversal to read /etc/passwd by injecting a null byte to bypass file extension checks.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Quick and Dirty Blog 0.4

No auth needed

Prerequisites: Target must be running Quick and Dirty Blog 0.4 · categories.php must be accessible

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by Omni · textwebappsphp

https://www.exploit-db.com/exploits/3729

View Code ZIP pw:eip

The writeup describes SQL injection and local file inclusion vulnerabilities in QDBlog v0.4. It includes proof-of-concept examples for bypassing admin authentication and reading arbitrary files.

Classification

Writeup 90%

Attack Type

Sqli | Auth Bypass | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: QDBlog v0.4

No auth needed

Prerequisites: Access to the login page or categories.php

MITRE ATT&CK