CVE-2008-2018

PHPizabi 0.848b C1 HFP3 - Authenticated Exposure of Sensitive Information via Macro Expansion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-2018. PoCs published by YOUCODE.

AI-analyzed exploit summary This writeup describes an information disclosure vulnerability in PHPizabi v0.848b C1 HFP3, where a specially crafted post can expose database fields, including user credentials. The exploit leverages a template replacement mechanism in template.class.php that inadvertently discloses database values when specific placeholders are used.

Description

The AssignUser function in template.class.php in PHPizabi 0.848b C1 HFP3 performs unsafe macro expansions on strings delimited by '{' and '}' characters, which allows remote authenticated users to obtain sensitive information via a comment containing a macro, as demonstrated by a "{user.password}" comment in the profile of the admin user.

Exploits (1)

exploitdb WRITEUP VERIFIED
by YOUCODE · textwebappsphp
https://www.exploit-db.com/exploits/5506

This writeup describes an information disclosure vulnerability in PHPizabi v0.848b C1 HFP3, where a specially crafted post can expose database fields, including user credentials. The exploit leverages a template replacement mechanism in template.class.php that inadvertently discloses database values when specific placeholders are used.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PHPizabi v0.848b C1 HFP3
Auth required
Prerequisites: Registered user account on the target PHPizabi site · Ability to post comments on a user's profile
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/42143
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28954
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5506

Scores

EPSS 0.0438
EPSS Percentile 89.1%

Details

CWE
CWE-200
Status published
Products (1)
phpizabi/phpizabi 0.848b
Published Apr 30, 2008
Tracked Since Feb 18, 2026