cbcvebase.
CVE-2009-1936
published 2009-06-05

CVE-2009-1936: _functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.22%
98.5th percentile
_functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass a protection mechanism to conduct remote file inclusion and directory traversal attacks, execute arbitrary PHP code, or read arbitrary files via the GLOBALS[prefix] parameter, a different vector than CVE-2003-1500.

Affected

1 ranges
VendorProductVersion rangeFixed in
cpcommerce_projectcpcommerce1.2.0 – 1.2.9

Detection & IOCsextracted from sources · hover to see the quote

path/_functions.php
url/_functions.php?GLOBALS[prefix]=http://
url/_functions.php?GLOBALS[prefix]=%00
url/_functions.php?GLOBALS[prefix]=<file>%00
  • Detect GET requests to /_functions.php with a GLOBALS[prefix] parameter — direct access to this file is the attack vector; the file should never be called directly by legitimate users.
  • Flag requests where GLOBALS[prefix] contains a URL scheme (e.g., 'http://') indicating Remote File Inclusion attempt.
  • Flag requests where GLOBALS[prefix] contains a null byte (%00) indicating Local File Inclusion / directory traversal attempt with null-byte termination.
  • The exploit checks response content for 'Failed opening' and 'No database selected' strings to confirm exploitation success — monitor outbound responses for these strings as a data-leakage indicator.
  • ·The exploit only works when PHP's register_globals is ON; with register_globals=off the GLOBALS[prefix] parameter cannot be injected, neutralising the attack.
  • ·Local File Inclusion (LFI) via null-byte termination additionally requires magic_quotes (mq) to be OFF; with magic_quotes=on the null byte is escaped and LFI is blocked.
  • ·Remote File Inclusion is blocked when PHP's 'URL file-access is disabled' (allow_url_include/allow_url_fopen=off); the exploit checks for this condition before proceeding.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.