CVE-2007-3585

MyCMS < 0.9.8 - Remote File Inclusion via games.php id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-3585. PoCs published by BlackHawk.

AI-analyzed exploit summary This exploit leverages a file inclusion vulnerability in MyCMS <= 0.9.8 to achieve remote command execution by writing a malicious PHP shell to the target system. It abuses insecure file handling in game score management and arbitrary file inclusion via the 'scoreid' parameter.

Description

PHP remote file inclusion vulnerability in games.php in MyCMS 0.9.8 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the id parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by BlackHawk · phpwebappsphp

https://www.exploit-db.com/exploits/4144

View Code ZIP pw:eip

This exploit leverages a file inclusion vulnerability in MyCMS <= 0.9.8 to achieve remote command execution by writing a malicious PHP shell to the target system. It abuses insecure file handling in game score management and arbitrary file inclusion via the 'scoreid' parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MyCMS <= 0.9.8

No auth needed

Prerequisites: Target must have MyCMS <= 0.9.8 installed · Game score files must be writable · PHP file inclusion must be enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/4144

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/24757

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/43962

Scores

EPSS 0.0234

EPSS Percentile 81.4%

Details

Status published

Products (1)

mycms/mycms < 0.9.8

Published Jul 05, 2007

Tracked Since Feb 18, 2026