CVE-2008-6290

nicLOR Sito - Path Traversal via Page File Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6290. PoCs published by StAkeR.

AI-analyzed exploit summary This is a writeup describing a local file inclusion (LFI) vulnerability in a PHP application. It provides code snippets and example payloads to exploit the vulnerability, but does not include functional exploit code.

Description

Directory traversal vulnerability in includefile.php in nicLOR Sito, when register_globals is enabled or magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the page_file parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED
by StAkeR · textwebappsphp
https://www.exploit-db.com/exploits/6990

This is a writeup describing a local file inclusion (LFI) vulnerability in a PHP application. It provides code snippets and example payloads to exploit the vulnerability, but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: include_Sito_PHP (version not specified)
No auth needed
Prerequisites: Register Globals enabled · Magic_Quotes_GPC disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6990
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32556
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32111
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46338

Scores

EPSS 0.0193
EPSS Percentile 77.3%

Details

CWE
CWE-22
Status published
Products (1)
niclor/include_sito
Published Feb 26, 2009
Tracked Since Feb 18, 2026