CVE-2008-3924

CMME <1.12 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3924. PoCs published by SirGod.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in CMME 1.12, including Local File Inclusion (LFI), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and unauthorized directory creation. The PoC provides clear examples and live demos for each vulnerability.

Description

The "Make a backup" functionality in Content Management Made Easy (CMME) 1.12 stores sensitive information under the web root with insufficient access control, which allows remote attackers to discover (1) account names and (2) password hashes via a direct request for (a) backup/cmme_data.zip or (b) backup/cmme_cmme.zip. NOTE: it was later reported that vector a also affects CMME 1.19.

Exploits (1)

exploitdb WORKING POC VERIFIED

by SirGod · textwebappsphp

https://www.exploit-db.com/exploits/6313

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in CMME 1.12, including Local File Inclusion (LFI), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and unauthorized directory creation. The PoC provides clear examples and live demos for each vulnerability.

Classification

Working Poc 90%

Attack Type

Lfi | Xss | Csrf | Other

Complexity

Trivial

Reliability

Reliable

Target: CMME 1.12

No auth needed

Prerequisites: magic_quotes_gpc must be off for LFI · Target must be running CMME 1.12

MITRE ATT&CK