CVE-2006-4059

USOLVED NEWSolved Lite <1.9.2 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4059. PoCs published by Philipp Niedziela.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in NEWSolved Lite v1.9.2 due to improper sanitization of the `abs_path` parameter. An attacker can include remote files containing malicious code, leading to Remote Code Execution (RCE).

Description

Multiple PHP remote file inclusion vulnerabilities in USOLVED NEWSolved Lite 1.9.2, and possibly earlier, allow remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) newsscript_lyt.php, (2) newsticker/newsscript_get.php, (3) inc/output/news_theme1.php, (4) inc/output/news_theme2.php, or (5) inc/output/news_theme3.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Philipp Niedziela · textwebappsphp

https://www.exploit-db.com/exploits/2135

View Code ZIP pw:eip

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in NEWSolved Lite v1.9.2 due to improper sanitization of the `abs_path` parameter. An attacker can include remote files containing malicious code, leading to Remote Code Execution (RCE).

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NEWSolved Lite v1.9.2

No auth needed

Prerequisites: Network access to the target application · Ability to host a malicious file on a remote server

MITRE ATT&CK