CVE-2006-6592

Bloq 0.5.4 - Remote File Inclusion via page[path] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2006-6592. PoCs published by KorsaN.

AI-analyzed exploit summary The provided text describes a remote file inclusion vulnerability in Bloq version 0.5.4, where insufficient sanitization of user-supplied data in the 'page[path]' parameter allows remote code execution. The example URL demonstrates how an attacker could exploit this by including a malicious file.

Description

Multiple PHP remote file inclusion vulnerabilities in Bloq 0.5.4 allow remote attackers to execute arbitrary PHP code via a URL in the page[path] parameter to (1) index.php, (2) admin.php, (3) rss.php, (4) rdf.php, (5) rss2.php, or (6) files/mainfile.php.

Exploits (6)

exploitdb WRITEUP VERIFIED
by KorsaN · textwebappsphp
https://www.exploit-db.com/exploits/28800

The provided text describes a remote file inclusion vulnerability in Bloq version 0.5.4, where insufficient sanitization of user-supplied data in the 'page[path]' parameter allows remote code execution. The example URL demonstrates how an attacker could exploit this by including a malicious file.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bloq 0.5.4
No auth needed
Prerequisites: Network access to the target application · Ability to host a malicious file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by KorsaN · textwebappsphp
https://www.exploit-db.com/exploits/28799

The code describes a remote file inclusion vulnerability in Bloq version 0.5.4, where insufficient sanitization of user-supplied data allows an attacker to include remote files via the 'page[path]' parameter in rss.php. This could lead to remote code execution if the attacker controls the included file.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bloq 0.5.4
No auth needed
Prerequisites: Remote file inclusion must be enabled on the server · Attacker must be able to host a malicious file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by KorsaN · textwebappsphp
https://www.exploit-db.com/exploits/28801

The provided text describes a remote file inclusion vulnerability in Bloq version 0.5.4, where insufficient sanitization of user-supplied data in the 'page[path]' parameter allows remote code execution. The example URL demonstrates how an attacker could include a remote file with arbitrary commands.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bloq 0.5.4
No auth needed
Prerequisites: Network access to the target application · Remote file hosting capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by KorsaN · textwebappsphp
https://www.exploit-db.com/exploits/28797

The provided text describes a remote file inclusion vulnerability in Bloq 0.5.4, where unsanitized user input in the 'page[path]' parameter allows arbitrary file inclusion. The example URL demonstrates how an attacker could execute commands via a remote file.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bloq 0.5.4
No auth needed
Prerequisites: Network access to the target application · Ability to host a malicious file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by KorsaN · textwebappsphp
https://www.exploit-db.com/exploits/28798

This exploit demonstrates a remote file inclusion vulnerability in Bloq 0.5.4 by injecting a malicious URL into the 'page[path]' parameter, allowing arbitrary command execution via a remote file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Bloq 0.5.4
No auth needed
Prerequisites: Remote file hosting with malicious payload · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by KorsaN · textwebappsphp
https://www.exploit-db.com/exploits/28802

The code describes a remote file inclusion vulnerability in Bloq 0.5.4 due to insufficient sanitization of user-supplied data in the 'page[path]' parameter. An attacker can exploit this to include remote files and execute arbitrary commands.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Bloq 0.5.4
No auth needed
Prerequisites: Access to the vulnerable endpoint · Remote file hosting capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/2039
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/448603/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20512
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29585

Scores

EPSS 0.0252
EPSS Percentile 82.8%

Details

Status published
Products (1)
php/bloq 0.5.4
Published Dec 15, 2006
Tracked Since Feb 18, 2026