CVE-2006-6213

PEGames - Remote File Inclusion via index.php abs_url Parameter

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6213. PoCs published by DeltahackingTEAM.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in PEGames by manipulating the 'abs_url' parameter to include a remote shell. The vulnerable code dynamically includes a PHP file without proper input validation.

Description

index.php in PEGames uses the extract function to overwrite critical variables, which allows remote attackers to conduct PHP remote file inclusion attacks via the abs_url parameter, which is later extracted to overwrite a previously uncontrolled value.

Exploits (1)

exploitdb WORKING POC VERIFIED
by DeltahackingTEAM · textwebappsphp
https://www.exploit-db.com/exploits/2840

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in PEGames by manipulating the 'abs_url' parameter to include a remote shell. The vulnerable code dynamically includes a PHP file without proper input validation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PEGames (version not specified)
No auth needed
Prerequisites: Remote shell accessible via HTTP · Target server with allow_url_include enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30517
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2840
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21266

Scores

EPSS 0.0252
EPSS Percentile 82.7%

Details

Status published
Products (1)
pegames/pegames
Published Dec 01, 2006
Tracked Since Feb 18, 2026