CVE-2008-6590

LightNEasy 1.2.2 - Path Traversal via Page Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6590.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in LightNEasy CMS, including remote file disclosure, arbitrary file copy/rename, remote command execution via PHP injection, and SQL injection. It provides clear proof-of-concept steps and affected code snippets.

Description

Multiple directory traversal vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/5452

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in LightNEasy CMS, including remote file disclosure, arbitrary file copy/rename, remote command execution via PHP injection, and SQL injection. It provides clear proof-of-concept steps and affected code snippets.

Classification

Working Poc 95%

Attack Type

Rce | Sqli | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: LightNEasy CMS SQLite / no database <= 1.2.2

No auth needed

Prerequisites: magic_quotes_gpc = Off for some vulnerabilities · Admin-created news page for RCE

MITRE ATT&CK