CVE-2008-3365

Pixelpost 1.7.1 - Remote Code Execution via Language Parameter Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3365. PoCs published by DSecRG.

AI-analyzed exploit summary The exploit demonstrates a Local File Include (LFI) vulnerability in Pixelpost photoblog 1.7.1. It leverages the 'lang' parameter to manipulate the 'language_full' variable, allowing arbitrary file inclusion via path traversal.

Description

Directory traversal vulnerability in index.php in Pixelpost 1.7.1 on Windows, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language_full parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by DSecRG · textwebappsphp

https://www.exploit-db.com/exploits/6150

View Code ZIP pw:eip

The exploit demonstrates a Local File Include (LFI) vulnerability in Pixelpost photoblog 1.7.1. It leverages the 'lang' parameter to manipulate the 'language_full' variable, allowing arbitrary file inclusion via path traversal.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Pixelpost photoblog 1.7.1

No auth needed

Prerequisites: register_globals enabled

MITRE ATT&CK