CVE-2006-5518

RSSonate - Remote File Inclusion via PROJECT_ROOT Parameter

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-5518. PoCs published by Kw3[R]Ln.

AI-analyzed exploit summary This Perl script exploits a remote command execution vulnerability in RSSonate by injecting a malicious script path via the PROJECT_ROOT parameter in multiple PHP files. It allows an attacker to execute arbitrary commands on the target system.

Description

Multiple PHP remote file inclusion vulnerabilities in Christopher Fowler (Rhode Island) RSSonate allow remote attackers to execute arbitrary PHP code via a URL in the PROJECT_ROOT parameter to (1) xml2rss.php, (2) config_local.php, (3) rssonate.php, and (4) sql2xml.php in Src/getFeed/inc/.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Kw3[R]Ln · pythonwebappsphp

https://www.exploit-db.com/exploits/2605

View Code ZIP pw:eip

This Perl script exploits a remote command execution vulnerability in RSSonate by injecting a malicious script path via the PROJECT_ROOT parameter in multiple PHP files. It allows an attacker to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: RSSonate (version not specified)

No auth needed

Prerequisites: Network access to the target · Vulnerable RSSonate installation

MITRE ATT&CK