CVE-2009-4666

Webradev Download Protect 1.0 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4666. PoCs published by asL-Sabia.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Webradev Download Protect v1.0 by manipulating the `GLOBALS[RootPath]` parameter to include arbitrary remote files. The PoC provides multiple endpoints where the vulnerability can be triggered.

Description

Multiple PHP remote file inclusion vulnerabilities in Webradev Download Protect 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[RootPath] parameter to (1) Framework/EmailTemplates.class.php, (2) Customers/PDPEmailReplaceConstants.class.php, and (3) Admin/ResellersManager.class.php in includes/DProtect/.

Exploits (1)

exploitdb WORKING POC VERIFIED

by asL-Sabia · textwebappsphp

https://www.exploit-db.com/exploits/8792

View Code ZIP pw:eip

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Webradev Download Protect v1.0 by manipulating the `GLOBALS[RootPath]` parameter to include arbitrary remote files. The PoC provides multiple endpoints where the vulnerability can be triggered.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Webradev Download Protect v1.0

No auth needed

Prerequisites: Remote file hosting with shell payload · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/8792

Scores

EPSS 0.0306

EPSS Percentile 86.9%

Details

CWE

CWE-94

Status published

Products (1)

qualityunit/download_protect 1.0

Published Mar 05, 2010

Tracked Since Feb 18, 2026