CVE-2006-4960

Php Blue Dragon <= 2.9.1 - Cross-Site Scripting via m Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4960. PoCs published by Kacper.

AI-analyzed exploit summary This exploit leverages a combination of SQL injection and XSS vulnerabilities in PhpBlueDragon CMS <= 2.9 to achieve remote code execution by injecting malicious PHP code into the registration and login forms, then triggering execution via a log file inclusion vulnerability.

Description

Cross-site scripting (XSS) vulnerability in index.php Php Blue Dragon 2.9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the m parameter, which is reflected in an error message resulting from a failed SQL query.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Kacper · phpwebappsphp

https://www.exploit-db.com/exploits/2402

View Code ZIP pw:eip

This exploit leverages a combination of SQL injection and XSS vulnerabilities in PhpBlueDragon CMS <= 2.9 to achieve remote code execution by injecting malicious PHP code into the registration and login forms, then triggering execution via a log file inclusion vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PhpBlueDragon CMS v2.9

No auth needed

Prerequisites: register_globals=On · target server with vulnerable PhpBlueDragon CMS installation

MITRE ATT&CK