CVE-2006-5167 in Basilix Webmail
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in BasiliX 1.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) BSX_LIBDIR parameter in scripts in /files/ including (a) abook.php3, (b) compose-attach.php3, (c) compose-menu.php3, (d) compose-new.php3, (e) compose-send.php3, (f) folder-create.php3, (g) folder-delete.php3, (h) folder-empty.php3, (i) folder-rename.php3, (j) folders.php3, (k) mbox-action.php3, (l) mbox-list.php3, (m) message-delete.php3, (n) message-forward.php3, (o) message-header.php3, (p) message-print.php3, (q) message-read.php3, (r) message-reply.php3, (s) message-replyall.php3, (t) message-search.php3, or (u) settings.php3; and the (2) BSX_HTXDIR parameter in (v) files/login.php3.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/23/2026
The vulnerability identified as CVE-2006-5167 represents a critical remote file inclusion flaw in BasiliX 1.1.1 and earlier versions, classified under CWE-829 as an inclusion of code from an untrusted source. This vulnerability manifests across multiple script files within the application's /files/ directory, specifically targeting parameters that handle directory paths for library and HTTP directory references. The flaw allows remote attackers to inject malicious URLs that are then executed as PHP code, creating a severe security risk for affected systems.
The technical implementation of this vulnerability occurs through improper input validation and sanitization of user-supplied parameters. When the BSX_LIBDIR parameter is passed to any of the listed scripts such as abook.php3, compose-attach.php3, or message-read.php3, the application fails to properly validate or sanitize the input before incorporating it into file inclusion operations. Similarly, the BSX_HTXDIR parameter in files/login.php3 presents the same risk. This lack of input sanitization creates a direct path for attackers to manipulate the application's behavior by injecting malicious URLs that point to remote code repositories.
The operational impact of this vulnerability is substantial, as it enables attackers to execute arbitrary PHP code on the target server with the privileges of the web application. This capability allows for complete system compromise, data exfiltration, and potential lateral movement within the network. The vulnerability affects multiple entry points across the application's functionality, from address book management to message handling and system settings, providing attackers with extensive access to sensitive operations and data. The remote nature of the exploit means that attackers can leverage this vulnerability without requiring local access or authentication.
Mitigation strategies for this vulnerability should focus on immediate input validation and parameter sanitization across all affected scripts. The most effective approach involves implementing strict input validation that rejects any non-numeric or non-expected input for directory parameters, along with disabling remote file inclusion capabilities in PHP configuration. Additionally, administrators should implement proper access controls and network segmentation to limit potential attack surfaces. This vulnerability aligns with ATT&CK technique T1190 for exploiting vulnerabilities and T1059 for command and scripting interpreter usage, making it a prime target for automated exploitation tools and advanced persistent threat actors. Organizations should also consider implementing web application firewalls and regular security assessments to identify similar vulnerabilities in other legacy applications.