CVE-2008-3164

fuzzylime CMS <3.01 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-3164. PoCs published by Cod3rZ.

AI-analyzed exploit summary This exploit targets Fuzzylime CMS 3.01 via Local File Inclusion (LFI) and Remote Code Execution (RCE) by injecting PHP code into logs and accessing it through vulnerable parameters. It uses LWP::UserAgent to send HTTP requests and verify successful exploitation.

Description

Directory traversal vulnerability in blog.php in fuzzylime (cms) 3.01, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter. NOTE: it was later reported that 3.01a is also affected.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Cod3rZ · perlwebappsphp

https://www.exploit-db.com/exploits/6016

View Code ZIP pw:eip

This exploit targets Fuzzylime CMS 3.01 via Local File Inclusion (LFI) and Remote Code Execution (RCE) by injecting PHP code into logs and accessing it through vulnerable parameters. It uses LWP::UserAgent to send HTTP requests and verify successful exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Fuzzylime CMS 3.01

No auth needed

Prerequisites: Access to the target web application · Knowledge of log file paths

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Cod3rZ · perlwebappsphp

https://www.exploit-db.com/exploits/32016

View Code ZIP pw:eip

This exploit targets a local file inclusion (LFI) vulnerability in Fuzzylime CMS 3.01a, allowing arbitrary file inclusion and potential remote code execution (RCE) by injecting malicious PHP code into log files. The script automates the process of injecting a PHP payload into logs and then accessing it via the LFI vulnerability.