CVE-2006-4962

Php Blue Dragon <2.9.1 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-4962. PoCs published by Kacper.

AI-analyzed exploit summary This exploit targets Php Blue Dragon CMS 3.0.0 by leveraging a local file inclusion vulnerability to execute arbitrary commands via log file poisoning. It authenticates as a registered user and attempts to include malicious PHP code from server log files.

Description

Directory traversal vulnerability in pbd_engine.php in Php Blue Dragon 2.9.1 and earlier allows remote attackers to read and execute arbitrary local files via a .. (dot dot) sequence via the phpExt parameter, as demonstrated by executing PHP code in a log file.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Kacper · phpwebappsphp

https://www.exploit-db.com/exploits/4277

View Code ZIP pw:eip

This exploit targets Php Blue Dragon CMS 3.0.0 by leveraging a local file inclusion vulnerability to execute arbitrary commands via log file poisoning. It authenticates as a registered user and attempts to include malicious PHP code from server log files.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Php Blue Dragon CMS 3.0.0

Auth required

Prerequisites: Valid user credentials · Access to server log files · PHP Blue Dragon CMS 3.0.0 installation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Kacper · phpwebappsphp

https://www.exploit-db.com/exploits/2402

View Code ZIP pw:eip

This exploit leverages a combination of SQL injection and XSS vulnerabilities in PhpBlueDragon CMS <= 2.9 to achieve remote code execution by injecting malicious PHP code into the registration and login forms, then triggering execution via a log file inclusion vulnerability.