CVE-2006-4423

Bigace 1.8.2 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2006-4423. PoCs published by Vampire.

AI-analyzed exploit summary The provided text describes a remote file inclusion vulnerability in Bigace 1.8.2, where unsanitized user input in the 'GLOBALS' parameter can lead to arbitrary PHP code execution. The example URL demonstrates the attack vector but lacks executable exploit code.

Description

Multiple PHP remote file inclusion vulnerabilities in Bigace 1.8.2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[_BIGACE][DIR][admin] parameter in (a) system/command/admin.cmd.php, (b) admin/include/upload_form.php, and (c) admin/include/item_main.php; and the (2) GLOBALS[_BIGACE][DIR][libs] parameter in (d) system/command/admin.cmd.php and (e) system/command/download.cmd.php.

Exploits (4)

exploitdb WRITEUP VERIFIED
by Vampire · textwebappsphp
https://www.exploit-db.com/exploits/28433

The provided text describes a remote file inclusion vulnerability in Bigace 1.8.2, where unsanitized user input in the 'GLOBALS' parameter can lead to arbitrary PHP code execution. The example URL demonstrates the attack vector but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bigace 1.8.2
No auth needed
Prerequisites: Remote PHP file hosting · PHP allow_url_include enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Vampire · textwebappsphp
https://www.exploit-db.com/exploits/28432

The provided text describes a remote file inclusion vulnerability in Bigace 1.8.2, where unsanitized user input in the 'GLOBALS' parameter can lead to arbitrary PHP code execution. The example URL demonstrates the vulnerability but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bigace 1.8.2
No auth needed
Prerequisites: Access to the vulnerable endpoint · Ability to host malicious PHP code on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Vampire · textwebappsphp
https://www.exploit-db.com/exploits/28434

The code describes a remote file inclusion vulnerability in Bigace 1.8.2 due to improper input sanitization. An attacker can exploit this to execute arbitrary PHP code by manipulating the GLOBALS parameter in the download.cmd.php script.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bigace 1.8.2
No auth needed
Prerequisites: Access to the target web application · Ability to craft a malicious URL with a remote PHP script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Vampire · textwebappsphp
https://www.exploit-db.com/exploits/28435

This is a vulnerability writeup describing a remote file inclusion vulnerability in Bigace 1.8.2. It outlines the issue but does not provide functional exploit code.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bigace 1.8.2
No auth needed
Prerequisites: Remote PHP file hosting · PHP allow_url_include enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016760
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/444415/100/0/threaded
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19723
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1462
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/28585

Scores

EPSS 0.0301
EPSS Percentile 85.7%

Details

Status published
Products (1)
bigace/bigace 1.8.2
Published Aug 29, 2006
Tracked Since Feb 18, 2026