CVE-2006-4204

phprojekt < 5.1 - Remote Code Execution via path_pre or lib_path Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4204. PoCs published by Kacper.

AI-analyzed exploit summary The code describes a local file inclusion (LFI) vulnerability in PHProjekt 5.1, where an attacker can include arbitrary scripts via the 'lib_path' or 'path_pre' parameters. No actual exploit code is provided, only URLs demonstrating the vulnerability.

Description

Multiple PHP remote file inclusion vulnerabilities in PHProjekt 5.1 and possibly earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) path_pre parameter in lib/specialdays.php and the (2) lib_path parameter in lib/dbman_filter.inc.php.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Kacper · textwebappsphp

https://www.exploit-db.com/exploits/2190

View Code ZIP pw:eip

The code describes a local file inclusion (LFI) vulnerability in PHProjekt 5.1, where an attacker can include arbitrary scripts via the 'lib_path' or 'path_pre' parameters. No actual exploit code is provided, only URLs demonstrating the vulnerability.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: PHProjekt 5.1

No auth needed

Prerequisites: Access to the target application · Knowledge of the application path

MITRE ATT&CK