CVE-2008-6473

Blogator-script 0.95 - Unauthenticated Arbitrary Password Change via Wildcard Parameter Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6473. PoCs published by Virangar Security.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in Blogator-script 0.95, allowing an attacker to change any user's password by manipulating the 'a', 'b', and 'c' GET parameters. The vulnerability arises from improper sanitization of user input in the 'init_pass2.php' script.

Description

_blogadata/include/init_pass2.php in Blogator-script 0.95 allows remote attackers to change the password for arbitrary users via a modified "a" parameter with a "%" wildcard symbol in the b parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Virangar Security · textwebappsphp
https://www.exploit-db.com/exploits/5370

This exploit demonstrates an SQL injection vulnerability in Blogator-script 0.95, allowing an attacker to change any user's password by manipulating the 'a', 'b', and 'c' GET parameters. The vulnerability arises from improper sanitization of user input in the 'init_pass2.php' script.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Blogator-script 0.95
No auth needed
Prerequisites: Target must be running Blogator-script 0.95 · The vulnerable endpoint '/_blogadata/include/init_pass2.php' must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5370
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/490501/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/51227

Scores

EPSS 0.0232
EPSS Percentile 81.2%

Details

CWE
CWE-255
Status published
Products (1)
blogator-script/blogator-script 0.95
Published Mar 16, 2009
Tracked Since Feb 18, 2026