CVE-2006-5899

acid_stats 2.3 - Remote File Inclusion via install.php3 repertoire Parameter

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-5899. PoCs published by Mahmood_ali.

AI-analyzed exploit summary The provided text describes a remote file-include vulnerability in the '@cid stats' program version 2.3, where insufficient sanitization of user-supplied data allows an attacker to include arbitrary files. The example URL demonstrates the vulnerability but lacks executable exploit code.

Description

PHP remote file inclusion vulnerability in install.php3 in @cid stats 2.3 allows remote attackers to execute arbitrary PHP code via a URL in the repertoire parameter. NOTE: this issue has been disputed by a third party, who states that install.php3 is supposed to be deleted after installation and, if not deleted, intentionally allows setting repertoire without an inclusion attack

Exploits (1)

exploitdb WRITEUP VERIFIED
by Mahmood_ali · textwebappsphp
https://www.exploit-db.com/exploits/28913

The provided text describes a remote file-include vulnerability in the '@cid stats' program version 2.3, where insufficient sanitization of user-supplied data allows an attacker to include arbitrary files. The example URL demonstrates the vulnerability but lacks executable exploit code.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: @cid stats 2.3
No auth needed
Prerequisites: Access to the vulnerable web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/450676/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/450685/100/0/threaded

Scores

EPSS 0.0205
EPSS Percentile 78.8%

Details

Status published
Products (1)
acid_stats/acid_stats 2.3
Published Nov 15, 2006
Tracked Since Feb 18, 2026