CVE-2008-6668

EXPLOITED NUCLEI

nweb2fax <= 0.2.7 - Path Traversal via id or var_filename Parameter

Title source: llm

Exploitation Summary

CVE-2008-6668 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including dun. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in nweb2fax <= 0.2.7, including Local File Inclusion (LFI), Arbitrary File Download, and Remote Command Execution (RCE) via improper input validation in PHP scripts. The RCE is achieved through command injection in the `viewrq.php` script when handling the `format` and `var_filename` parameters.

Description

Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id parameter to comm.php and (2) var_filename parameter to viewrq.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by dun · textwebappsphp

https://www.exploit-db.com/exploits/5856

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in nweb2fax <= 0.2.7, including Local File Inclusion (LFI), Arbitrary File Download, and Remote Command Execution (RCE) via improper input validation in PHP scripts. The RCE is achieved through command injection in the `viewrq.php` script when handling the `format` and `var_filename` parameters.

Classification

Working Poc 95%

Attack Type

Rce | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: nweb2fax <= 0.2.7

No auth needed

Prerequisites: Network access to the target application · nweb2fax application running with vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

nweb2fax <=0.2.7 - Local File Inclusion

MEDIUMby geeknik

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/5856

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/43173

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/29804

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/43172

Scores

EPSS 0.0057

EPSS Percentile 69.3%

Details

VulnCheck KEV 2024-09-19

CWE

CWE-22

Status published

Products (2)

dirk_bartley/nweb2fax 0.2

dirk_bartley/nweb2fax < 0.2.7

Published Apr 08, 2009

Tracked Since Feb 18, 2026