CVE-2006-4671

Fantastic News 2.1.4 - Remote File Inclusion Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4671. PoCs published by Mr-m07.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Fantastic News <= 2.1.4. The vulnerability arises from insecure usage of the CONFIG[script_path] parameter in archive.php and headlines.php, allowing remote file execution.

Description

PHP remote file inclusion vulnerability in headlines.php in Fantastic News 2.1.4, and possibly earlier, allows remote attackers to execute arbitrary PHP code via a URL in the CONFIG[script_path] parameter, a different vector than CVE-2006-1154.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Mr-m07 · textwebappsphp

https://www.exploit-db.com/exploits/3027

View Code ZIP pw:eip

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Fantastic News <= 2.1.4. The vulnerability arises from insecure usage of the CONFIG[script_path] parameter in archive.php and headlines.php, allowing remote file execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Fantastic News <= 2.1.4

No auth needed

Prerequisites: Target must have allow_url_include enabled in PHP configuration · Attacker must be able to host a malicious file on a remote server

MITRE ATT&CK