CVE-2012-1671

phppaleo < 4.8b155 - Path Traversal via Lang Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-1671. PoCs published by Mark Stanislav.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in phpPaleo via a null-byte attack on the 'lang' GET parameter. It allows reading arbitrary files (e.g., /etc/passwd) when magic_quotes_gpc is disabled and PHP is < 5.3.4.

Description

Directory traversal vulnerability in index.php in phpPaleo 4.8b155 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mark Stanislav · textwebappsphp
https://www.exploit-db.com/exploits/18701

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in phpPaleo via a null-byte attack on the 'lang' GET parameter. It allows reading arbitrary files (e.g., /etc/passwd) when magic_quotes_gpc is disabled and PHP is < 5.3.4.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: phpPaleo 4.8b156
No auth needed
Prerequisites: magic_quotes_gpc disabled · PHP < 5.3.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18701
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/80100
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48398
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/52530
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/03/16/3
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/03/15/11

Scores

EPSS 0.0257
EPSS Percentile 83.1%

Details

CWE
CWE-22
Status published
Products (1)
nicolas_tormo/phppaleo < 4.8b155
Published Oct 08, 2012
Tracked Since Feb 18, 2026