CVE-2006-5546 in OTSCMS
Summary
by MITRE
PHP remote file inclusion vulnerability in OTSCMS/OTSCMS.php in Open Tibia Server Content Management System (OTSCMS) 1.3.0 through 1.4.1 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[config][otscms][directories][classes] parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/25/2026
The CVE-2006-5546 vulnerability represents a critical remote file inclusion flaw within the Open Tibia Server Content Management System version 1.3.0 through 1.4.1. This vulnerability resides in the OTSCMS.php file and specifically targets the GLOBALS[config][otscms][directories][classes] parameter, creating a pathway for malicious actors to inject and execute arbitrary PHP code on the affected server. The vulnerability falls under the category of insecure direct object references and improper input validation, which are commonly exploited in web application attacks.
The technical exploitation of this vulnerability occurs when an attacker manipulates the GLOBALS parameter to point to a remote malicious URL containing PHP code. The OTSCMS application fails to properly validate or sanitize this input parameter, allowing the system to include and execute external PHP files. This flaw enables attackers to bypass normal access controls and execute commands with the privileges of the web server process. The vulnerability is particularly dangerous because it allows for complete remote code execution without requiring authentication, making it a prime target for automated exploitation tools.
From an operational perspective, this vulnerability creates significant risk for organizations running affected OTSCMS versions, particularly those hosting web applications or gaming platforms that rely on the system. The impact extends beyond simple code execution to include potential data breaches, system compromise, and complete server takeover. Attackers can leverage this vulnerability to install backdoors, steal sensitive data, or use the compromised server for further attacks against other systems. The vulnerability also poses risks to the broader ecosystem since OTSCMS was often used in gaming communities and server hosting environments where multiple users interact with the platform.
Security professionals should note that this vulnerability aligns with CWE-88 (Improper Neutralization of Argument Delimiters in a Command) and CWE-94 (Improper Control of Generation of Code) categories, representing both command injection and code execution flaws. The attack pattern follows typical remote code execution techniques documented in the MITRE ATT&CK framework under T1059 (Command and Scripting Interpreter) and T1190 (Exploit Public-Facing Application). Organizations should implement immediate mitigations including input validation, parameter sanitization, and the removal of any functionality that allows external file inclusion. The most effective long-term solution involves upgrading to patched versions of OTSCMS or implementing proper input validation that prevents the exploitation of such parameters. Additionally, web application firewalls and runtime application self-protection mechanisms can provide additional defense layers against similar vulnerabilities in the future.