CVE-2013-7387

DataLife Engine <9.7 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-7387. PoCs published by Metasploit, EgiX.

AI-analyzed exploit summary This Metasploit module exploits a PHP code injection vulnerability in DataLife Engine 9.7 via insecure usage of preg_replace() with the e modifier in preview.php. It injects arbitrary PHP code when the template contains a [catlist] or [not-catlist] tag.

Description

Session fixation vulnerability in DataLife Engine (DLE) 9.7 and earlier allows remote attackers to hijack web sessions via the PHPSESSID cookie.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/24444

View Code ZIP pw:eip

This Metasploit module exploits a PHP code injection vulnerability in DataLife Engine 9.7 via insecure usage of preg_replace() with the e modifier in preview.php. It injects arbitrary PHP code when the template contains a [catlist] or [not-catlist] tag.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: DataLife Engine 9.7

No auth needed

Prerequisites: Target must be running DataLife Engine 9.7 with a vulnerable template tag

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by EgiX · textwebappsphp

https://www.exploit-db.com/exploits/24438

View Code ZIP pw:eip

The writeup describes a PHP code injection vulnerability in DataLife Engine 9.7 due to improper sanitization of the 'catlist' parameter in the /engine/preview.php script, allowing arbitrary PHP code execution via preg_replace with the e modifier.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: DataLife Engine 9.7

No auth needed

Prerequisites: A template containing a 'catlist' or 'not-catlist' tag

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_misc

http://dle-news.ru/bags/v97/1549-patchi-bezopasnosti-dlya-versii-97.html

Exploit x_refsource_misc

http://en.securitylab.ru/lab/PT-2012-53

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/51971

Scores

EPSS 0.0495

EPSS Percentile 91.1%

Details

Status published

Products (1)

dleviet/datalife_engine < 9.7

Published Jun 02, 2014

Tracked Since Feb 18, 2026