CVE-2006-6661

PHP-Update <2.7 - RCE

Title source: llm

Description

Variable overwrite vulnerability in blog.php in PHP-Update 2.7 and earlier allows remote attackers to overwrite arbitrary program variables and execute arbitrary PHP code via multiple vectors that use the extract function, as demonstrated by the (1) f, (2) newmessage, (3) newusername, (4) adminuser, and (5) permission parameters.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/2953

View Code ZIP pw:eip

References (3)

[Third Party Advisory] http://www.vupen.com/english/advisories/2006/5088

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/2953

[Third Party Advisory] http://secunia.com/advisories/23407

Scores

EPSS 0.0326

EPSS Percentile 87.2%

Details

Status published

Products (1)

php-update/php-update < 2.7

Published Dec 20, 2006

Tracked Since Feb 18, 2026