CVE-2013-1412

Dleviet Datalife Engine - Code Injection

Title source: rule

Description

DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/24444

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by EgiX · textwebappsphp

https://www.exploit-db.com/exploits/24438

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by EgiX, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/datalife_preview_exec.rb

View Code ZIP pw:eip

References (8)

[Exploit] http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html

[Patch, Vendor Advisory] http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html

[Exploit] http://karmainsecurity.com/KIS-2013-01

[Exploit] http://www.exploit-db.com/exploits/24438

[Exploit] http://www.exploit-db.com/exploits/24444

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/57603

[Third Party Advisory, VDB Entry] http://osvdb.org/89662

[Third Party Advisory] http://secunia.com/advisories/51971

Scores

EPSS 0.8510

EPSS Percentile 99.4%

Details

CWE

CWE-94

Status published

Products (1)

dleviet/datalife_engine 9.7

Published Jun 02, 2014

Tracked Since Feb 18, 2026