cbcvebase.
CVE-2008-3509
published 2008-08-07

CVE-2008-3509: LoveCMS 1.6.2 does not require administrative authentication for (1) addblock.php, (2) blocks.php, and (3) themes.php in system/admin/, which allows remote…

PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.43%
87.4th percentile
LoveCMS 1.6.2 does not require administrative authentication for (1) addblock.php, (2) blocks.php, and (3) themes.php in system/admin/, which allows remote attackers to change the configuration or execute arbitrary PHP code via addition of blocks, and other vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
lovecmslovecms

Detection & IOCsextracted from sources · hover to see the quote

pathsystem/admin/addblock.php
pathsystem/admin/blocks.php
pathsystem/admin/themes.php
commandcontent=phpinfo();&type=php
  • Detect unauthenticated POST requests to system/admin/addblock.php with parameters 'type=php' and a 'content' field — this is the primary RCE vector allowing arbitrary PHP code injection via block addition.
  • Detect unauthenticated POST requests to system/admin/blocks.php with bulk 'position', 'height', and 'visible' parameters (iterated numerically), used to make injected PHP blocks visible on the site.
  • Detect unauthenticated POST requests to system/admin/themes.php — this endpoint allows configuration changes (sitename, footer, debugmode, console, etc.) without authentication.
  • Flag any HTTP request to the three admin endpoints (addblock.php, blocks.php, themes.php) that lacks a valid session/authentication cookie, as the vulnerability is specifically the absence of authentication checks.
  • ·The exploit targets LoveCMS version 1.6.2 Final specifically; other versions may not be vulnerable or may have different admin path structures.
  • ·The RCE payload in the exploit uses phpinfo() as a proof-of-concept; real-world attackers would substitute arbitrary PHP code in the 'content' POST parameter — detection rules should match on type=php broadly, not just phpinfo().
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.