CVE-2008-6978

Full Revolution aspWebAlbum 3.2 - Unrestricted File Upload and Remote Code Execution via pics/ Directory

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-6978. PoCs published by e.wiZz!, Alemin_Krali.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in aspWebAlbum 3.2, including arbitrary file upload, admin bypass via SQL injection, and XSS. It provides clear URLs and parameters for exploitation.

Description

Unrestricted file upload vulnerability in Full Revolution aspWebAlbum 3.2 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in pics/, related to the uploadmedia action in album.asp.

Exploits (2)

exploitdb WORKING POC VERIFIED

by e.wiZz! · textwebappsasp

https://www.exploit-db.com/exploits/6420

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in aspWebAlbum 3.2, including arbitrary file upload, admin bypass via SQL injection, and XSS. It provides clear URLs and parameters for exploitation.

Classification

Working Poc 90%

Attack Type

Rce | Sqli | Xss | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: aspWebAlbum 3.2

No auth needed

Prerequisites: Access to the target web application · Knowledge of category names for file upload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by Alemin_Krali · textwebappsphp

https://www.exploit-db.com/exploits/6357

View Code ZIP pw:eip

This is a writeup detailing multiple vulnerabilities in aspWebAlbum 3.2, including arbitrary file upload, admin bypass, and XSS. It provides URLs and parameters for exploitation but does not include functional exploit code.

Classification

Writeup 90%