CVE-2008-0648
OpenSiteAdmin < 0.9.1.1 - Remote Code Execution via Path Parameter in Multiple Scripts
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2008-0648. PoCs published by Trancek.
AI-analyzed exploit summary This exploit demonstrates a local file inclusion (LFI) vulnerability in OpenSiteAdmin 0.9.1 BETA due to improper handling of the 'path' parameter in multiple PHP scripts. The vulnerability allows remote attackers to include arbitrary files via null byte injection, provided that 'Register Globals' is enabled and 'Magic_quotes_gpc' is disabled.
Description
Multiple PHP remote file inclusion vulnerabilities in OpenSiteAdmin 0.9.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) indexFooter.php; and (2) DatabaseManager.php, (3) FieldManager.php, (4) Filter.php, (5) Form.php, (6) FormManager.php, (7) LoginManager.php, and (8) Filters/SingleFilter.php in scripts/classes/.
Exploits (1)
This exploit demonstrates a local file inclusion (LFI) vulnerability in OpenSiteAdmin 0.9.1 BETA due to improper handling of the 'path' parameter in multiple PHP scripts. The vulnerability allows remote attackers to include arbitrary files via null byte injection, provided that 'Register Globals' is enabled and 'Magic_quotes_gpc' is disabled.