CVE-2008-1971

phShoutBox Final <1.5 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-1971. PoCs published by t0pP8uZz.

AI-analyzed exploit summary This exploit leverages insecure cookie handling in PhShoutBox to bypass authentication by setting a cookie that grants admin privileges. The attack involves injecting a JavaScript snippet to set the cookie, allowing unauthorized access to the admin panel.

Description

phShoutBox Final 1.5 and earlier only checks passwords when specified in $_POST, which allows remote attackers to gain privileges by setting the (1) phadmin cookie to admin.php, or (2) in 1.4 and earlier, the ssbadmin cookie to shoutadmin.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by t0pP8uZz · textwebappsphp
https://www.exploit-db.com/exploits/5467

This exploit leverages insecure cookie handling in PhShoutBox to bypass authentication by setting a cookie that grants admin privileges. The attack involves injecting a JavaScript snippet to set the cookie, allowing unauthorized access to the admin panel.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: PhShoutBox <= 1.5 (final)
No auth needed
Prerequisites: Access to the vulnerable website · JavaScript execution in the browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/41901
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5467
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28856
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29892

Scores

EPSS 0.0221
EPSS Percentile 80.3%

Details

CWE
CWE-287
Status published
Products (1)
phphq/phshoutbox_final < 1.5
Published Apr 27, 2008
Tracked Since Feb 18, 2026