CVE-2008-6132
published 2009-02-13CVE-2008-6132: Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute…
PriorityP258medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
26.14%
97.7th percentile
Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brickhost | phpscheduleit | <= 1.2.10 | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | <= 1.2.10 | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
| php.brickhost | phpscheduleit | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandbtnSubmit=1&start_date=1').${error_reporting(0)}.${eval(base64_decode($_SERVER[HTTP_#{headername.gsub("-", "_")}]))};#↗
- →Monitor HTTP POST requests to reserve.php containing eval-injection payloads in the start_date parameter, specifically patterns with single-quote breaking and PHP execution constructs such as ').${...} ↗
- →Detect POST requests to reserve.php where start_date or end_date parameters contain single quotes, parentheses, or PHP code fragments indicative of eval injection (e.g., '), ${, eval(, base64_decode() ↗
- →Look for anomalous custom HTTP headers (X-<random-alpha>) on POST requests to reserve.php; the Metasploit module embeds base64-encoded payloads in a randomly named X- header and references it via $_SERVER[HTTP_<HEADERNAME>] for eval execution. ↗
- →Flag POST requests to reserve.php that include a Referer header pointing to reserve.php itself, combined with a start_date parameter containing injection syntax — this matches the Metasploit module's request pattern. ↗
- ·The vulnerability is only exploitable when the PHP configuration option magic_quotes_gpc is set to 'off'; if magic_quotes_gpc is 'on', the injected single quotes are escaped and the eval injection fails. ↗
- ·Authentication is not required to exploit this vulnerability, meaning any unauthenticated remote attacker can attempt the injection against exposed reserve.php endpoints. ↗
- ·Affected versions are phpScheduleIt 1.2.10 and earlier; version 1.2.11 and later are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-97m8-v3gc-qq69: Eval injection vulnerability in reserve
ghsa_unreviewed·2022-05-17
CVE-2008-6132 [MEDIUM] CWE-94 GHSA-97m8-v3gc-qq69: Eval injection vulnerability in reserve
Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.
GHSA
GHSA-6vj2-4wv8-fm3g: Multiple eval injection vulnerabilities in phpScheduleIt before 1
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2009-0820 [MEDIUM] CWE-94 GHSA-6vj2-4wv8-fm3g: Multiple eval injection vulnerabilities in phpScheduleIt before 1
Multiple eval injection vulnerabilities in phpScheduleIt before 1.2.11 allow remote attackers to execute arbitrary code via (1) the end_date parameter to reserve.php and (2) the start_date and end_date parameters to check.php. NOTE: the start_date/reserve.php vector is already covered by CVE-2008-6132.
No detection rules found.
Exploit-DB
phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)
exploitdb·2011-10-26
CVE-2008-6132 phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)
phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)
---
##
# $Id: phpscheduleit_start_date.rb 14073 2011-10-26 18:06:12Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection',
'Description' => %q{
This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt
software. This vulnerability is only exploitable when the magic_quotes_gpc PHP
option is 'off'. Authentication is not required to exploit the bug.
Version 1.2.10 and
Exploit-DB
phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution
exploitdb·2008-10-01
CVE-2009-0820 phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution
phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution
---
set_title(translate("Processing $Class"));
53. $t->printHTMLHeader();
54. $t->startMain();
55.
56. process_reservation($_POST['fn']);
57. }
58. else {
59. $res_info = getResInfo();
60. $t->set_title($res_info['title']);
61. $t->printHTMLHeader();
62. $t->startMain();
63. present_reservation($res_info['resid']);
64. }
[...]
79. function process_reservation($fn) {
80. $success = false;
81. global $Class;
82. $is_pending = (isset($_POST['pending']) && $_POST['pending']);
83.
84. if (isset($_POST['start_date'])) { // Parse the POST-ed starting and ending dates
85. $start_date = eval('return mktime(0,0,0, \'' . str_replace(INTERNAL_DATE_SEPERATOR, '\',\'', $_POST['start_date']) . '\');');
86. $end_date = eval('return mktime(0,0,
Metasploit
phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
metasploit
phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
phpScheduleIt PHP reserve.php start_date Parameter Arbitrary Code Injection
This module exploits an arbitrary PHP code execution flaw in the phpScheduleIt software. This vulnerability is only exploitable when the magic_quotes_gpc PHP option is 'off'. Authentication is not required to exploit the bug. Version 1.2.10 and earlier of phpScheduleIt are affected.
No writeups or analysis indexed.
http://phpscheduleit.svn.sourceforge.net/viewvc/phpscheduleit/1.2.11/reserve.php?r1=318&r2=328http://secunia.com/advisories/32073http://sourceforge.net/project/shownotes.php?release_id=662749http://www.exploit-db.com/exploits/18037http://www.exploit-db.com/exploits/6646http://www.osvdb.org/48797http://www.securityfocus.com/bid/31520https://exchange.xforce.ibmcloud.com/vulnerabilities/45617http://phpscheduleit.svn.sourceforge.net/viewvc/phpscheduleit/1.2.11/reserve.php?r1=318&r2=328http://secunia.com/advisories/32073http://sourceforge.net/project/shownotes.php?release_id=662749http://www.exploit-db.com/exploits/18037http://www.exploit-db.com/exploits/6646http://www.osvdb.org/48797http://www.securityfocus.com/bid/31520https://exchange.xforce.ibmcloud.com/vulnerabilities/45617
2009-02-13
Published