CVE-2008-6544

Simple Machines Forum (SMF) 1.1.4 - Multiple Remote File Inclusions

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple PHP remote file inclusion vulnerabilities in Simple Machines Forum (SMF) 1.1.4 allow remote attackers to execute arbitrary PHP code via a URL in the (1) settings[default_theme_dir] parameter to Sources/Subs-Graphics.php and (2) settings[default_theme_dir] parameter to Sources/Themes.php. NOTE: CVE and multiple third parties dispute this issue because the files contain a protection mechanism against direct request

** DISPUTADA ** Múltiples vulnerabilidades de inclusión remota de ficheros PHP en Simple Machines Forum (SMF) v1.1.4, permite a atacantes remotos la ejecución de código PHP de su elección a través de una URL en los parámetros (1) settings[default_theme_dir] a Sources/Subs-Graphics.php y (2) settings[default_theme_dir] a Sources/Themes.php. NOTA: CVE y varios terceros discuten esta cuestión porque los archivos contienen un mecanismo de protección contra las peticiones directas.

*Credits: N/A

CVSS Scores

NISTv2 7.5

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-03-28 First Exploit
2009-03-29 CVE Reserved
2009-03-30 CVE Published
2024-08-07 CVE Updated
2024-11-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (7)

URL	Tag	Source
http://osvdb.org/51301	Vdb Entry
http://www.securityfocus.com/bid/28493	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/41518	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/31555	2008-03-28
http://archives.neohapsis.com/archives/bugtraq/2008-03/0425.html	2024-08-07
http://archives.neohapsis.com/archives/bugtraq/2008-03/0426.html	2024-08-07
http://archives.neohapsis.com/archives/bugtraq/2008-03/0431.html	2024-08-07

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Simple Machines Search vendor "Simple Machines"		Simple Machines Forum Search vendor "Simple Machines" for product "Simple Machines Forum"				1.1.4 Search vendor "Simple Machines" for product "Simple Machines Forum" and version "1.1.4"		-		Affected