CVE-2008-1866

PixelMotion Blog - Authenticated PHP ZIP Upload Code Execution

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-1866. PoCs published by JIKO.

AI-analyzed exploit summary This is a writeup describing a remote file upload vulnerability in Blog PixelMotion. It provides instructions for uploading a shell via `modif_config.php` and accessing it through specific paths.

Description

admin/modif_config.php in Blog Pixel Motion (aka PixelMotion) does not require admin authentication, which allows remote authenticated users to upload arbitrary PHP scripts in a ZIP archive, which is written to templateZip/ and then automatically extracted under templates/ for execution via a direct request.

Exploits (2)

exploitdb WRITEUP VERIFIED

by JIKO · textwebappsphp

https://www.exploit-db.com/exploits/5381

View Code ZIP pw:eip

This is a writeup describing a remote file upload vulnerability in Blog PixelMotion. It provides instructions for uploading a shell via `modif_config.php` and accessing it through specific paths.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: Blog PixelMotion (version unspecified)

Auth required

Prerequisites: access to admin panel · ability to upload files

MITRE ATT&CK

T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/5380

View Code ZIP pw:eip

This exploit targets a database backup dump vulnerability in Blog PixelMotion. It allows unauthorized access to the database backup file via a direct URL, leading to potential information disclosure of user data stored in the 'blog_utilisateurs' table.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Blog PixelMotion

No auth needed

Prerequisites: Target must have Blog PixelMotion installed · The 'sauvBase.php' file must be accessible

MITRE ATT&CK

T1592 - Gather Victim Host Information T1082 - System Information Discovery

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/5381

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/41670

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/28646

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/1121/references

Scores

EPSS 0.0522

EPSS Percentile 91.4%

Details

CWE

CWE-94

Status published

Products (1)

pixel_motion/pixel_motion_blog

Published Apr 17, 2008

Tracked Since Feb 18, 2026