CVE-2008-5764

WorkSimple 1.2.1 - Remote Code Execution via Lang Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-5764. PoCs published by Osirys.

AI-analyzed exploit summary The writeup describes a Remote File Inclusion (RFI) vulnerability in WorkSimple 1.2.1 due to an undeclared $lang variable in calendar.php, allowing remote shell inclusion. It also mentions a sensitive data disclosure issue where user credentials are stored in plaintext in a .txt file.

Description

PHP remote file inclusion vulnerability in calendar.php in WorkSimple 1.2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the lang parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Osirys · textwebappsphp

https://www.exploit-db.com/exploits/7481

View Code ZIP pw:eip

The writeup describes a Remote File Inclusion (RFI) vulnerability in WorkSimple 1.2.1 due to an undeclared $lang variable in calendar.php, allowing remote shell inclusion. It also mentions a sensitive data disclosure issue where user credentials are stored in plaintext in a .txt file.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WorkSimple 1.2.1

No auth needed

Prerequisites: Network access to the target application · PHP remote file inclusion enabled on the server

MITRE ATT&CK