CVE-2008-6177

LightBlog 9.8 - Path Traversal and Arbitrary File Execution via Username Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6177. PoCs published by JosS.

AI-analyzed exploit summary This exploit demonstrates multiple local file inclusion vulnerabilities in LightBlog 9.8 via GET, POST, and COOKIE parameters. The PoC shows how an attacker can read arbitrary files by manipulating input parameters with directory traversal sequences and null bytes.

Description

Multiple directory traversal vulnerabilities in LightBlog 9.8, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) username parameter to view_member.php, (2) username_post parameter to login.php, and the (3) Lightblog_username cookie parameter to check_user.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by JosS · textwebappsphp
https://www.exploit-db.com/exploits/6797

This exploit demonstrates multiple local file inclusion vulnerabilities in LightBlog 9.8 via GET, POST, and COOKIE parameters. The PoC shows how an attacker can read arbitrary files by manipulating input parameters with directory traversal sequences and null bytes.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: LightBlog 9.8
No auth needed
Prerequisites: Access to the vulnerable web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46030
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32345
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31851
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6797

Scores

EPSS 0.0186
EPSS Percentile 76.4%

Details

CWE
CWE-22
Status published
Products (1)
publicwarehouse/lightblog 9.8
Published Feb 19, 2009
Tracked Since Feb 18, 2026