CVE-2006-3984

phpauction 2.1 - Remote File Inclusion via phpAds_path Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-3984. PoCs published by Philipp Niedziela.

AI-analyzed exploit summary This exploit demonstrates a remote file inclusion vulnerability in PHPAuction 2.1 due to improper sanitization of the $phpAds_path variable in /phpAdsNew/view.inc.php. An attacker can include a remote PHP shell to execute arbitrary commands.

Description

PHP remote file inclusion vulnerability in phpAdsNew/view.inc.php in Albasoftware Phpauction 2.1 and possibly later versions, with phpAdsNew 2.0.5, allows remote attackers to execute arbitrary PHP code via a URL in the phpAds_path parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Philipp Niedziela · textwebappsphp

https://www.exploit-db.com/exploits/2100

View Code ZIP pw:eip

This exploit demonstrates a remote file inclusion vulnerability in PHPAuction 2.1 due to improper sanitization of the $phpAds_path variable in /phpAdsNew/view.inc.php. An attacker can include a remote PHP shell to execute arbitrary commands.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: PHPAuction 2.1

No auth needed

Prerequisites: Remote PHP shell accessible via URL · Target server with vulnerable PHPAuction installation

MITRE ATT&CK