CVE-2006-5220 in WebYep
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in WebYep 1.1.9, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the webyep_sIncludePath in (1) files in the programm/lib/ directory including (a) WYApplication.php, (b) WYDocument.php, (c) WYEditor.php, (d) WYElement.php, (e) WYFile.php, (f) WYHTMLTag.php, (g) WYImage.php, (h) WYLanguage.php, (i) WYLink.php, (j) WYPath.php, (k) WYPopupWindowLink.php, (l) WYSelectMenu.php, and (m) WYTextArea.php; (2) files in the programm/elements/ directory including (n) WYGalleryElement.php, (o) WYGuestbookElement.php, (p) WYImageElement.php, (q) WYLogonButtonElement.php, (r) WYLongTextElement.php, (s) WYLoopElement.php, (t) WYMenuElement.php, and (u) WYShortTextElement.php; and (3) programm/webyep.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/24/2026
This vulnerability represents a critical remote file inclusion flaw in WebYep 1.1.9 that exploits the dangerous combination of register_globals being enabled and improper input validation. The vulnerability stems from the application's failure to properly sanitize the webyep_sIncludePath parameter, which is used to include various PHP files throughout the application's codebase. When register_globals is enabled, attacker-controlled variables can be injected into the global namespace, creating a pathway for arbitrary code execution. The flaw affects multiple core files across different directories, including library components and element handlers, making it particularly dangerous as it can be exploited across various application functionalities. This vulnerability directly maps to CWE-88, which describes improper neutralization of special elements in input data, and CWE-94, which covers improper control of generation of code, both of which are fundamental weaknesses in input validation and code execution control.
The operational impact of this vulnerability is severe as it allows remote attackers to execute arbitrary PHP code on the target server without authentication. Attackers can leverage this by crafting malicious URLs that include their own PHP payloads in the webyep_sIncludePath parameter, which then gets included and executed by the vulnerable application. The attack surface is extensive since the vulnerability affects multiple files in both the programm/lib/ and programm/elements/ directories, meaning that exploitation can occur through various entry points depending on the specific functionality being targeted. This creates a multi-vector attack scenario where an attacker can choose the most effective path to achieve code execution, making the vulnerability particularly challenging to defend against.
The exploitation of this vulnerability aligns with several tactics described in the MITRE ATT&CK framework, specifically covering T1190 for Exploit Public-Facing Application and T1059 for Command and Scripting Interpreter. The vulnerability enables attackers to establish persistent access through code execution, potentially leading to full system compromise. Organizations running WebYep 1.1.9 with register_globals enabled face significant risk, as this vulnerability can be exploited through simple web requests without requiring any special privileges or advanced techniques. The impact extends beyond immediate code execution to potential data breaches, system compromise, and unauthorized access to sensitive information stored within the application's environment. The vulnerability also demonstrates the critical importance of proper input validation and the dangers of enabling dangerous PHP configuration options like register_globals in production environments.
Mitigation strategies should focus on immediate remediation through patching the WebYep application to version 1.1.10 or later, which addresses this vulnerability. Additionally, administrators must disable register_globals in php.ini configuration files, as this setting fundamentally enables the attack vector. Input validation should be implemented at multiple layers, including application-level sanitization of the webyep_sIncludePath parameter and the implementation of allowlist-based file inclusion mechanisms. Network-level protections such as web application firewalls can provide additional defense in depth, though they should not be relied upon as the sole mitigation. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other applications, as this vulnerability type remains common in legacy PHP applications. The fix should also include implementing proper access controls and monitoring for unusual file inclusion patterns that might indicate exploitation attempts.