CVE-2008-6308

Private Messaging System for PunBB < 1.2.3 - Remote File Inclusion via pun_user[language] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6308. PoCs published by StAkeR.

AI-analyzed exploit summary This exploit targets a Local File Inclusion (LFI) vulnerability in PunBB's Private Messaging System 1.2.x. It leverages uninitialized variables in PHP scripts to include arbitrary files via path traversal and null byte injection.

Description

Multiple directory traversal vulnerabilities in Private Messaging System (PMS) 1.2.3 and earlier for PunBB allow remote attackers to include and execute arbitrary files via a .. (dot dot) in the pun_user[language] parameter to (1) functions_navlinks.php, (2) header_new_messages.php, (3) profile_send.php, and (4) viewtopic_PM-link.php in include/pms/.

Exploits (1)

exploitdb WORKING POC VERIFIED
by StAkeR · phpwebappsphp
https://www.exploit-db.com/exploits/7159

This exploit targets a Local File Inclusion (LFI) vulnerability in PunBB's Private Messaging System 1.2.x. It leverages uninitialized variables in PHP scripts to include arbitrary files via path traversal and null byte injection.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: PunBB Private Messaging System 1.2.x
No auth needed
Prerequisites: register_globals = 1 · magic_quotes_gpc = 1 · PunBB with vulnerable Private Messaging System mod installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/13201
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7159
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46718
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3214
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32360

Scores

EPSS 0.0204
EPSS Percentile 78.6%

Details

CWE
CWE-22
Status published
Products (4)
punbb/private_messaging_system 1.2.0
punbb/private_messaging_system 1.2.1
punbb/private_messaging_system 1.2.2
punbb/private_messaging_system < 1.2.3
Published Feb 27, 2009
Tracked Since Feb 18, 2026