cbcvebase.
CVE-2008-4428
published 2008-10-03

CVE-2008-4428: Unrestricted file upload vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.03%
93.4th percentile
Unrestricted file upload vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in the top-level directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
phlatlinepersonal_information_manager<= 1.0

Detection & IOCsextracted from sources · hover to see the quote

path/ppim/upload.php
path/ppim/changepassword.php
path/ppim/password.dat
path/ppim/Readme.txt
path/ppim/sendmail.php
urlhttp://target.tld/ppim/upload.php?login=1
urlhttp://target.tld/ppim/calendar.php?login=1
commandupload.php?mode=delfile&file=FileName
commandlinkname=evil_link&linkurl=";$url=system('cat /etc/passwd');$foo="&linkdescription=test2&groupname=test+group&linksubmit=Make+Link
path/ppim/shell.php
  • Detect unauthenticated file upload attempts to upload.php — look for multipart POST requests to /ppim/upload.php (with or without ?login=1) containing .php file uploads.
  • Authentication bypass via GET parameter: monitor for requests appending '?login=1' to any pPIM PHP script (e.g., calendar.php?login=1, upload.php?login=1).
  • Detect arbitrary file deletion attempts via upload.php using the 'mode=delfile' GET parameter.
  • Monitor for direct GET requests to /ppim/password.dat, /ppim/Readme.txt, and /ppim/email/*.email — these expose credentials and version info without authentication.
  • Use the Google dork 'inurl:events.php?listallevents' to identify exposed pPIM installations.
  • Detect XSS probes in events.php via the 'date' GET parameter — look for script/alert payloads in events.php?mode=new&date=.
  • Monitor for unauthenticated POST requests to /ppim/sendmail.php with 'submitemail' form field — indicates abuse of the open email relay.
  • After a successful upload, attackers access the dropped PHP webshell directly from the top-level pPIM directory (e.g., /ppim/shell.php or /ppim/phpinfo.php).
  • ·The authentication bypass (?login=1) only works if the web server is NOT configured to execute PHP embedded in HTML files; if PHP-in-HTML execution is enabled, the header.html auth check fires normally.
  • ·Uploaded files land in the top-level pPIM directory, not a sandboxed upload folder, making them directly web-accessible and executable.
  • ·Command injection via the link URL field relies on PHP include() of attacker-controlled flat files; the injected system() call runs with web server process privileges.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.