CVE-2006-5539
Description
PHP remote file inclusion vulnerability in login/secure.php in UeberProject Management System 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cfg[homepath] parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:ueberproject_management_system:ueberproject_management_system:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:ueberproject_management_system:ueberproject_management_system:*:*:*:*:*:*:*:*range: <=1.0
- (no CPE)range: <=1.0
Patches
Vulnerability mechanics
Root cause
"Unvalidated inclusion of user-supplied URL in the `$cfg[homepath]` parameter allows remote file inclusion."
Attack vector
An attacker sends an HTTP request to `login/secure.php` with the `cfg[homepath]` parameter set to a URL pointing to a malicious PHP script hosted on an attacker-controlled server [ref_id=1]. The vulnerable code at line 12 concatenates this value with `$cfgProgDir2` to form `$cfgRealProgDir`, which is then passed to `include()` on line 113 [ref_id=1]. Because the input is not sanitized or restricted, PHP will fetch and execute the remote file, giving the attacker arbitrary code execution on the target server. No authentication is required and the only precondition is that the `allow_url_include` PHP setting is enabled.
What the fix does
No patch is included in the bundle. The advisory does not provide a fix, but the remediation would require validating that `$cfg[homepath]` is a local path (e.g., checking it does not contain `http://` or `ftp://`) and avoiding the use of user-controlled input in file inclusion constructs. Disabling `allow_url_include` in PHP configuration would also prevent this class of remote file inclusion attack.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.