CVE-2006-1480

WebAlbum < 2.02 - Directory Traversal and Remote Code Execution via Skin2 Cookie Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-1480. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets a file inclusion vulnerability in WebAlbum <= 2.02pl via the `$_COOKIE[skin2]` parameter. It injects PHP code into Apache log files and triggers execution by manipulating the cookie value to include the log file path, achieving remote command execution.

Description

Directory traversal vulnerability in start.php in WebAlbum 2.02 allows remote attackers to include arbitrary files and execute commands by (1) injecting code into local log files via GET commands, then (2) accessing that log via a .. (dot dot) sequence and a trailing null (%00) byte in the skin2 COOKIE parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/1608

View Code ZIP pw:eip

This exploit targets a file inclusion vulnerability in WebAlbum <= 2.02pl via the `$_COOKIE[skin2]` parameter. It injects PHP code into Apache log files and triggers execution by manipulating the cookie value to include the log file path, achieving remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WebAlbum <= 2.02pl

No auth needed

Prerequisites: magic_quotes_gpc=Off · write access to Apache log files

MITRE ATT&CK