CVE-2008-6490

FLABER < 1.1 - Arbitrary File Write via update_xml.php target_file Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6490. PoCs published by EgiX.

AI-analyzed exploit summary This exploit leverages a file overwrite vulnerability in FLABER <= 1.1 RC1 via the `update_xml.php` script, allowing arbitrary PHP code execution by injecting a malicious payload into `upload_file.php`. The exploit establishes a pseudo-shell for remote command execution.

Description

function/update_xml.php in FLABER 1.1 and earlier allows remote attackers to overwrite arbitrary files by specifying the target filename in the target_file parameter. NOTE: this can be leveraged for code execution by overwriting a PHP file, as demonstrated using function/upload_file.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by EgiX · phpwebappsphp

https://www.exploit-db.com/exploits/5407

View Code ZIP pw:eip

This exploit leverages a file overwrite vulnerability in FLABER <= 1.1 RC1 via the `update_xml.php` script, allowing arbitrary PHP code execution by injecting a malicious payload into `upload_file.php`. The exploit establishes a pseudo-shell for remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FLABER <= 1.1 RC1

No auth needed

Prerequisites: Target must have FLABER <= 1.1 RC1 installed · The `function/update_xml.php` script must be accessible · The target file must be writable

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →