CVE-2006-5402

phpmybibli < 3.0.1 - Remote Code Execution via Path Parameter Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-5402. PoCs published by the_day.

AI-analyzed exploit summary The advisory describes a remote file inclusion vulnerability in PHPmybibli <=2.1, where unvalidated user input in parameters like `$include_path`, `$class_path`, and `$javascript_path` allows arbitrary PHP code execution via external file inclusion.

Description

Multiple PHP remote file inclusion vulnerabilities in PHPmybibli 3.0.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path, (2) javascript_path, and (3) include_path parameters in (a) cart.php; the (4) class_path parameter in (b) index.php; the (5) javascript_path parameter in (c) edit.php; the (6) include_path parameter in (d) circ.php; unspecified parameters in (e) select.php; and unspecified parameters in other files.

Exploits (1)

exploitdb WRITEUP VERIFIED

by the_day · textwebappsphp

https://www.exploit-db.com/exploits/2585

View Code ZIP pw:eip

The advisory describes a remote file inclusion vulnerability in PHPmybibli <=2.1, where unvalidated user input in parameters like `$include_path`, `$class_path`, and `$javascript_path` allows arbitrary PHP code execution via external file inclusion.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: PHPmybibli <=2.1

No auth needed

Prerequisites: PHP register_globals enabled · Remote file inclusion allowed in PHP configuration

MITRE ATT&CK