CVE-2008-7000

PHPAuction 3.2 - Remote Code Execution via Index.php Lan Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-7000. PoCs published by Beenu Arora.

AI-analyzed exploit summary The provided text describes a remote file-include vulnerability in phpAuction 3.2 due to insufficient sanitization of user-supplied data. The example URL demonstrates how an attacker could exploit this issue by manipulating the 'lan' parameter.

Description

PHP remote file inclusion vulnerability in index.php in PHPAuction 3.2 allows remote attackers to execute arbitrary PHP code via a URL in the lan parameter. NOTE: this might be related to CVE-2005-2255.1.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Beenu Arora · textwebappsphp

https://www.exploit-db.com/exploits/33204

View Code ZIP pw:eip

The provided text describes a remote file-include vulnerability in phpAuction 3.2 due to insufficient sanitization of user-supplied data. The example URL demonstrates how an attacker could exploit this issue by manipulating the 'lan' parameter.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: phpAuction 3.2

No auth needed

Prerequisites: Access to the target application · Ability to manipulate the 'lan' parameter

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit x_refsource_misc

http://packetstorm.linuxsecurity.com/0809-exploits/phpauction32-rfi.txt

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/44938

Scores

EPSS 0.0205

EPSS Percentile 78.7%

Details

CWE

CWE-94

Status published

Products (1)

phpauction/phpauction 3.2

Published Aug 19, 2009

Tracked Since Feb 18, 2026