cbcvebase.
CVE-2008-6748
published 2009-04-24

CVE-2008-6748: Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
3.74%
88.5th percentile
Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
megacubomegacubo

Detection & IOCsextracted from sources · hover to see the quote

pathc:/Megacubo.exe
filenameMegacubo.exe
commandnetsh firewall set opmode mode = disable
otherbmV0c2ggZmlyZXdhbGwgc2V0IG9wbW9kZSBtb2RlID0gZGlzYWJsZQ==
  • Monitor for processes spawned via the mega:// URI handler containing pipe characters and PHP function calls (e.g., system(), base64_decode(), fputs(), fopen(), file_get_contents()) in the URI path — this is the eval injection payload pattern.
  • Detect mega:// URI scheme invocations from browsers (Internet Explorer, Firefox) that contain the string 'play|con..' followed by PHP code constructs — this is the specific exploit trigger pattern.
  • Alert on creation of executable files at c:/Megacubo.exe by the Megacubo application process, as the exploit drops a downloaded payload to this hardcoded path.
  • Detect execution of 'netsh firewall set opmode mode = disable' (base64: bmV0c2ggZmlyZXdhbGwgc2V0IG9wbW9kZSBtb2RlID0gZGlzYWJsZQ==) as a child process of Megacubo, indicating successful exploitation and firewall disablement.
  • ·The exploit was tested specifically against Internet Explorer 7 and Mozilla Firefox 1.5 on Windows XP SP3; the mega:// URI handler registration is the attack surface, so scope detection to Windows hosts with Megacubo installed.
  • ·Megacubo is described as a PHP + Winbinder application, meaning the eval injection executes within the embedded PHP runtime bundled with the desktop application — not a web server context.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.