CVE-2009-3660

efront < 3.5.4 - Remote Code Execution via path Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3660. PoCs published by cr4wl3r.

AI-analyzed exploit summary This is a writeup describing a Remote File Include (RFI) vulnerability in efront <= 3.5.4. The vulnerability allows an attacker to include a remote file via the 'path' parameter in database.php.

Description

PHP remote file inclusion vulnerability in libraries/database.php in Efront 3.5.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation.

Exploits (1)

exploitdb WRITEUP VERIFIED
by cr4wl3r · textwebappsphp
https://www.exploit-db.com/exploits/9681

This is a writeup describing a Remote File Include (RFI) vulnerability in efront <= 3.5.4. The vulnerability allows an attacker to include a remote file via the 'path' parameter in database.php.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: efront <= 3.5.4
No auth needed
Prerequisites: Remote file hosting · Target server with allow_url_include enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9681
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36411

Scores

EPSS 0.0186
EPSS Percentile 76.5%

Details

CWE
CWE-94
Status published
Products (7)
efrontlearning/efront 3.1.0
efrontlearning/efront 3.1.2
efrontlearning/efront 3.1.3
efrontlearning/efront 3.1.4
efrontlearning/efront 3.5.0 (5 CPE variants)
efrontlearning/efront 3.5.1
efrontlearning/efront < 3.5.4
Published Oct 11, 2009
Tracked Since Feb 18, 2026