cbcvebase.
CVE-2005-2733
published 2005-08-30

CVE-2005-2733: upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute…

PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.89%
98.8th percentile
upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute arbitrary code.

Affected

2 ranges
VendorProductVersion rangeFixed in
alexander_palmosimple_php_blog<= 0.5.0.1
alexander_palmosimple_php_blog

Detection & IOCsextracted from sources · hover to see the quote

path/config/password.txt
path/images/
path/login_cgi.php
path/install03_cgi.php
path/comment_delete_cgi.php
filenamecmd.php
filenamereset.php
cookiemy_id=<session>; PHPSESSID=<session>
commandcomment_delete_cgi.php?y=05&m=08&comment=./images/reset.php
commandupload_img_cgi.php POST userfile=cmd.php
  • Detect unauthenticated GET requests to /config/password.txt — this is the first stage of the exploit chain, retrieving the password hash without authentication.
  • Detect multipart/form-data POST to /upload_img_cgi.php with non-image file extensions (e.g., .php) in the filename field — this is the unrestricted file upload vector.
  • Detect GET requests to /comment_delete_cgi.php with a 'comment' parameter containing path traversal sequences (e.g., '../' or './config/') — used to delete arbitrary files including password.txt.
  • Detect POST to /install03_cgi.php after a DELETE of /config/password.txt — attacker is resetting credentials as part of the exploit chain.
  • Detect access to /images/*.php — uploaded PHP webshells (cmd.php or randomly named .php files) placed in the images directory are executed here.
  • Correlate the full exploit chain in sequence: GET /config/password.txt → DELETE via comment_delete_cgi.php → POST /install03_cgi.php → POST /login_cgi.php → POST /upload_img_cgi.php (PHP file) → GET /images/<shell>.php
  • ·The Metasploit module targets Simple PHP Blog <= 0.4.0 only; versions above 0.4.0 (up to but not including 0.5.1) may be vulnerable to a related but distinct incomplete blacklist bypass (CVE-2007-5071), not CVE-2005-2733.
  • ·The default URI path used by the Metasploit module is /sphpblog — detections should account for installations at non-default paths.
  • ·The uploaded PHP shell filenames in the Metasploit module are randomly generated (20 random alphanumeric chars + .php), so static filename-based detection will miss automated exploitation; focus on path pattern /images/*.php instead.
  • ·The original PoC exploit script (exploit-db 1191) uses a hardcoded filename 'cmd.php', whereas the Metasploit module uses random names — detection rules should cover both patterns.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.