CVE-2006-4678

News Evolution 3.0.3 - Remote File Inclusion via _NE[AbsPath] Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4678. PoCs published by ddoshomo.

AI-analyzed exploit summary This is a writeup describing a remote file inclusion vulnerability in News Evolution v3.0.3. It provides vulnerable URLs but does not include functional exploit code.

Description

PHP remote file inclusion vulnerability in News Evolution 3.0.3 allows remote attackers to execute arbitrary PHP code via the _NE[AbsPath] parameter in (1) install.php and (2) migrateNE2toNE3.php.

Exploits (1)

exploitdb WRITEUP VERIFIED

by ddoshomo · textwebappsphp

https://www.exploit-db.com/exploits/2325

View Code ZIP pw:eip

This is a writeup describing a remote file inclusion vulnerability in News Evolution v3.0.3. It provides vulnerable URLs but does not include functional exploit code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: News Evolution v3.0.3

No auth needed

Prerequisites: Target must have the vulnerable software installed · Remote file inclusion must be enabled on the server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/445576/100/0/threaded

Third Party Advisory third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/1536

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/28803

Scores

EPSS 0.0240

EPSS Percentile 81.9%

Details

Status published

Products (1)

comscripts/news_evolution 3.0.3

Published Sep 11, 2006

Tracked Since Feb 18, 2026