CVE-2008-4557

CuteNews 1.1.1 - Remote Code Execution via Text Parameter in Highlight Plugin

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-4557. PoCs published by Eugene Minaev.

AI-analyzed exploit summary This exploit leverages a PHP preg_replace vulnerability with the 'e' modifier in CuteNews, allowing remote code execution via crafted input. The PoC demonstrates command injection by embedding malicious PHP code in the 'text' parameter.

Description

plugins/wacko/highlight/html.php in Strawberry in CuteNews.ru 1.1.1 (aka Strawberry) allows remote attackers to execute arbitrary PHP code via the text parameter, which is inserted into an executable regular expression.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Eugene Minaev · textwebappsphp

https://www.exploit-db.com/exploits/4851

View Code ZIP pw:eip

This exploit leverages a PHP preg_replace vulnerability with the 'e' modifier in CuteNews, allowing remote code execution via crafted input. The PoC demonstrates command injection by embedding malicious PHP code in the 'text' parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: CuteNews (Strawberry)

No auth needed

Prerequisites: Target running vulnerable CuteNews with the Wacko plugin enabled

MITRE ATT&CK