cbcvebase.
CVE-2008-6132
published 2009-02-13

CVE-2008-6132: Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute…

PriorityP258medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
26.14%
97.7th percentile
Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
brickhostphpscheduleit<= 1.2.10
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
brickhostphpscheduleit
php.brickhostphpscheduleit<= 1.2.10
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit
php.brickhostphpscheduleit

Detection & IOCsextracted from sources · hover to see the quote

path/reserve.php
commandbtnSubmit=1&start_date=1').${print('#{signature}')}.${die};#
commandbtnSubmit=1&start_date=1').${error_reporting(0)}.${eval(base64_decode($_SERVER[HTTP_#{headername.gsub("-", "_")}]))};#
  • Monitor HTTP POST requests to reserve.php containing eval-injection payloads in the start_date parameter, specifically patterns with single-quote breaking and PHP execution constructs such as ').${...}
  • Detect POST requests to reserve.php where start_date or end_date parameters contain single quotes, parentheses, or PHP code fragments indicative of eval injection (e.g., '), ${, eval(, base64_decode()
  • Look for anomalous custom HTTP headers (X-<random-alpha>) on POST requests to reserve.php; the Metasploit module embeds base64-encoded payloads in a randomly named X- header and references it via $_SERVER[HTTP_<HEADERNAME>] for eval execution.
  • Flag POST requests to reserve.php that include a Referer header pointing to reserve.php itself, combined with a start_date parameter containing injection syntax — this matches the Metasploit module's request pattern.
  • ·The vulnerability is only exploitable when the PHP configuration option magic_quotes_gpc is set to 'off'; if magic_quotes_gpc is 'on', the injected single quotes are escaped and the eval injection fails.
  • ·Authentication is not required to exploit this vulnerability, meaning any unauthenticated remote attacker can attempt the injection against exposed reserve.php endpoints.
  • ·Affected versions are phpScheduleIt 1.2.10 and earlier; version 1.2.11 and later are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.