CVE-2006-3755 in FlushCMS
Summary
by MITRE
PHP remote file inclusion vulnerability in Include/editor/class.rich.php in FlushCMS 1.0.0-pre2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the class_path parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/25/2025
The vulnerability described in CVE-2006-3755 represents a critical remote file inclusion flaw within FlushCMS version 1.0.0-pre2 and earlier installations. This vulnerability exists in the Include/editor/class.rich.php component where the application fails to properly validate user input before incorporating external resources. The flaw specifically manifests when the class_path parameter is manipulated with a URL, allowing attackers to inject and execute arbitrary PHP code on the target system. This type of vulnerability falls under the category of CWE-88, which describes improper neutralization of special elements used in an expression, and more specifically maps to CWE-94, which addresses the execution of arbitrary code or commands. The attack vector leverages the PHP include functionality to pull remote content, effectively bypassing local security controls and enabling remote code execution.
The operational impact of this vulnerability is severe and far-reaching for affected systems. An unauthenticated remote attacker can exploit this flaw to execute arbitrary PHP code with the privileges of the web server process, potentially leading to complete system compromise. The vulnerability enables attackers to upload malicious files, establish persistent backdoors, or manipulate database content directly. Given that this affects a content management system, successful exploitation could result in data theft, service disruption, or unauthorized access to sensitive information. The vulnerability's remote nature means that attackers do not require local access or credentials to exploit it, making it particularly dangerous in environments where CMS systems are exposed to the internet.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1190, which describes the use of remote services to gain initial access, and T1059, which covers the execution of commands through various interfaces including PHP. The attack typically involves crafting a malicious URL that points to a remote server hosting attacker-controlled PHP code, which is then included and executed by the vulnerable FlushCMS application. The lack of input validation in the class_path parameter creates an opportunity for attackers to manipulate the include path to reference external resources, bypassing normal security boundaries. This vulnerability demonstrates the critical importance of proper input sanitization and the principle of least privilege in web application security, as it allows attackers to execute code with elevated permissions.
Mitigation strategies for this vulnerability should focus on immediate patching of affected systems, as FlushCMS 1.0.0-pre2 and earlier versions are no longer supported. Organizations should implement proper input validation and sanitization measures to prevent user-supplied data from being used in include statements without proper verification. The use of allow_url_include and allow_url_fopen directives in php.ini should be disabled when possible, and applications should be configured to use absolute paths instead of relative or user-supplied paths for file inclusion operations. Network-based mitigations such as web application firewalls and intrusion prevention systems can help detect and block exploitation attempts, while regular security audits and code reviews should be conducted to identify similar vulnerabilities in other components. Additionally, implementing proper access controls and monitoring for unusual file inclusion patterns can help detect potential exploitation attempts. The vulnerability serves as a reminder of the critical need for secure coding practices and the importance of validating all user inputs to prevent injection attacks that could lead to complete system compromise.