CVE-2006-4004

vbPortal 3.0.2-3.6.0 Beta 1 - Unauthenticated Directory Traversal and Remote Code Execution via bbvbplang Cookie

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4004. PoCs published by r00t.

AI-analyzed exploit summary This exploit targets a remote command execution vulnerability in vbPortal versions 3.0.2 to 3.6.0 Beta 1 by injecting PHP code into log files via HTTP headers and then triggering execution through a path traversal attack. It requires magic_quotes_gpc to be off and relies on predictable log file locations.

Description

Directory traversal vulnerability in index.php in vbPortal 3.0.2 through 3.6.0 Beta 1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the bbvbplang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by r00t · phpwebappsphp

https://www.exploit-db.com/exploits/2087

View Code ZIP pw:eip

This exploit targets a remote command execution vulnerability in vbPortal versions 3.0.2 to 3.6.0 Beta 1 by injecting PHP code into log files via HTTP headers and then triggering execution through a path traversal attack. It requires magic_quotes_gpc to be off and relies on predictable log file locations.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vbPortal 3.0.2 <= 3.6.0 Beta 1

No auth needed

Prerequisites: magic_quotes_gpc=Off · writable log files · predictable log file paths

MITRE ATT&CK