CVE-2006-7128

JAF CMS 4.0 RC1 - Remote File Inclusion via Forum Website Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-7128. PoCs published by Kacper.

AI-analyzed exploit summary This Perl script exploits a remote file inclusion vulnerability in JAF CMS <= 4.0 RC1 by injecting a remote shell path into the 'website' parameter of the forum module. It uses a GUI interface to allow the attacker to specify the target URL, shell path, and command to execute.

Description

PHP remote file inclusion vulnerability in forum/forum.php JAF CMS 4.0 RC1 allows remote attackers to execute arbitrary PHP code via a URL in the website parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Kacper · perlwebappsphp

https://www.exploit-db.com/exploits/2469

View Code ZIP pw:eip

This Perl script exploits a remote file inclusion vulnerability in JAF CMS <= 4.0 RC1 by injecting a remote shell path into the 'website' parameter of the forum module. It uses a GUI interface to allow the attacker to specify the target URL, shell path, and command to execute.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: JAF CMS <= 4.0 RC1

No auth needed

Prerequisites: Remote shell accessible via HTTP · Target server with vulnerable JAF CMS installation

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/5317

View Code ZIP pw:eip

This exploit demonstrates a Remote File Include (RFI) vulnerability in JAF-CMS 4.0 RC2. The exploit provides URLs that can be used to include arbitrary remote files via the 'website' and 'main_dir' parameters in multiple PHP scripts.