CVE-2006-4055

TSEP <0.942 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-4055. PoCs published by beford.

AI-analyzed exploit summary This exploit leverages a file inclusion vulnerability in TSEP <= 0.942 due to improper handling of the `tsep_config[absPath]` parameter, allowing remote file inclusion when `register_globals` is enabled. The PoC demonstrates how an attacker can include a remote shell (e.g., r57shell.txt) via the vulnerable `colorswitch.php` script.

Description

Multiple PHP remote file inclusion vulnerabilities in Olaf Noehring The Search Engine Project (TSEP) 0.942 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the tsep_config[absPath] parameter to (1) include/colorswitch.php, (2) contentimages.class.php, (3) ipfunctions.php, (4) configfunctions.php, (5) printpagedetails.php, or (6) log.class.php. NOTE: the copyright.php vector is already covered by CVE-2006-3993.

Exploits (2)

exploitdb WORKING POC VERIFIED
by beford · textwebappsphp
https://www.exploit-db.com/exploits/2116

This exploit leverages a file inclusion vulnerability in TSEP <= 0.942 due to improper handling of the `tsep_config[absPath]` parameter, allowing remote file inclusion when `register_globals` is enabled. The PoC demonstrates how an attacker can include a remote shell (e.g., r57shell.txt) via the vulnerable `colorswitch.php` script.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TSEP <= 0.942
No auth needed
Prerequisites: register_globals enabled · remote file accessible via URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/2098

The exploit demonstrates a Remote File Inclusion (RFI) vulnerability in TSEP 0.9.4.2 due to unsanitized user input in the `tsep_config[absPath]` parameter. An attacker can include and execute arbitrary PHP code from a remote server by manipulating the parameter in the `copyright.php` file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TSEP 0.9.4.2
No auth needed
Prerequisites: Remote PHP shell accessible via URL · Target server with allow_url_include enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2116
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/28107
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21291
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19326
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/442098/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1354

Scores

EPSS 0.0383
EPSS Percentile 88.7%

Details

Status published
Products (1)
tsep/tsep < 0.942
Published Aug 10, 2006
Tracked Since Feb 18, 2026