Exploitation Summary
EIP tracks 1 public exploit for CVE-2009-2784. PoCs published by SirGod.
AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in dit.cms 1.3 due to improper input validation in multiple PHP scripts. The PoC includes URLs that leverage path traversal sequences to access arbitrary files (e.g., boot.ini) when register_globals is enabled.
Description
Multiple directory traversal vulnerabilities in dit.cms 1.3, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the path parameter to index.php in (1) install/, (2) menus/left_rightslideopen/, (3) menus/side_pullout/, (4) menus/side_slideopen/, (5) menus/simple/, (6) menus/top_dropdown/, and (7) menus/topside/; the sitemap parameter to index.php in (8) menus/left_rightslideopen/, (9) menus/side_pullout/, (10) menus/side_slideopen/, (11) menus/top_dropdown/, and (12) menus/topside/; and the (13) relPath parameter to index/index.php. NOTE: PHP remote file inclusion vulnerabilities reportedly also exist for some of these vectors.
Exploits (1)
This exploit demonstrates a Local File Inclusion (LFI) vulnerability in dit.cms 1.3 due to improper input validation in multiple PHP scripts. The PoC includes URLs that leverage path traversal sequences to access arbitrary files (e.g., boot.ini) when register_globals is enabled.