CVE-2009-0731

Free Arcade Script 1.0 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0731. PoCs published by Osirys.

AI-analyzed exploit summary This exploit leverages a Local File Inclusion (LFI) vulnerability in Free Arcade Script 1.0 via Apache log injection to achieve Remote Command Execution (RCE). It injects malicious PHP code into Apache logs and includes the log file through the LFI vulnerability.

Description

Directory traversal vulnerability in pages/play.php in Free Arcade Script 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the template parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Osirys · perlwebappsphp

https://www.exploit-db.com/exploits/8094

View Code ZIP pw:eip

This exploit leverages a Local File Inclusion (LFI) vulnerability in Free Arcade Script 1.0 via Apache log injection to achieve Remote Command Execution (RCE). It injects malicious PHP code into Apache logs and includes the log file through the LFI vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Free Arcade Script 1.0

No auth needed

Prerequisites: PHP register_globals = On · Apache log write permissions · Access to the vulnerable play.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1200 - Hardware Additions T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/33869

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8094

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34023

Scores

EPSS 0.0563

EPSS Percentile 91.9%

Details

CWE

CWE-22

Status published

Products (1)

freearcadescript/free_arcade_script 1.0

Published Feb 24, 2009

Tracked Since Feb 18, 2026