cbcvebase.
CVE-2009-4834
published 2010-05-04

CVE-2009-4834: lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.

PriorityP269medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.02%
89.3th percentile
lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
xpressenginezeroboard

Detection & IOCsextracted from sources · hover to see the quote

path/bbs/shell.php
path/bbs/data/shell.php
filenameshell.php
command*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1
urlhttp://xxx.xxx.xxx/zboard/zboard.php?id=test
  • Exploit targets the `preg_replace()` function in lib.php via a crafted parameter name injected through now_connect.php; look for HTTP requests to zboard.php or now_connect.php containing PHP code fragments or chr()-encoded payloads in parameter names or values.
  • Exploit payload uses HTTP_SESSION_VARS, HTTP_SERVER_VARS, and HTTP_ENV_VARS as superglobal injection vectors; detect HTTP requests to zboard.php containing these parameter names alongside PHP code.
  • Post-exploitation webshell is written to the /bbs/data/ directory as shell.php and accessed with a ?cmd= query parameter; monitor for creation of or requests to shell.php under the Zeroboard bbs/data path.
  • The exploit payload is delivered as a crafted parameter name containing a preg_replace /e modifier injection wrapped in comment delimiters (*/.../*); detect URL-encoded or raw occurrences of this pattern in HTTP request parameter names targeting zboard.php.
  • ·The exploit targets Zeroboard version 4.1 pl7 specifically; other versions are not confirmed vulnerable by this PoC.
  • ·The PoC exploit code references a hardcoded test target path (zboard.php?id=test); real-world exploitation requires a valid board ID parameter, so detections should not be limited to id=test.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.