CVE-2006-3374

randshop < 1.2 - Remote File Inclusion via index.php incl Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-3374. PoCs published by black-code.

AI-analyzed exploit summary The exploit describes a remote file inclusion vulnerability in Randshop due to improper input sanitization. An attacker can include arbitrary remote PHP files via the 'incl' parameter in the URL.

Description

PHP remote file inclusion vulnerability in index.php in Randshop 1.2 and earlier, including 0.9.3, allows remote attackers to execute arbitrary PHP code via a URL in the incl parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED

by black-code · textwebappsphp

https://www.exploit-db.com/exploits/28162

View Code ZIP pw:eip

The exploit describes a remote file inclusion vulnerability in Randshop due to improper input sanitization. An attacker can include arbitrary remote PHP files via the 'incl' parameter in the URL.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: Randshop (version not specified)

No auth needed

Prerequisites: Remote PHP file with malicious code · Web server with allow_url_include enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/18809

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/439040/100/0/threaded

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1016438

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/439063/100/0/threaded

Scores

EPSS 0.0256

EPSS Percentile 83.1%

Details

Status published

Products (2)

randshop/randshop 0.9.3

randshop/randshop < 1.2

Published Jul 06, 2006

Tracked Since Feb 18, 2026