CVE-2006-5735 in PunBBinfo

Summary

by MITRE

Directory traversal vulnerability in include/common.php in PunBB before 1.2.14 allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the language parameter, related to register.php storing a language value in the users table.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/26/2026

The vulnerability described in CVE-2006-5735 represents a critical directory traversal flaw within the PunBB bulletin board system prior to version 1.2.14. This vulnerability exists in the include/common.php file and specifically affects the handling of language parameters during user registration processes. The flaw allows authenticated remote attackers to manipulate the language parameter in register.php, which subsequently gets stored in the users table and later retrieved for inclusion in common.php. This creates a path traversal condition where attackers can exploit the .. (dot dot) sequence to navigate outside the intended directory structure and access arbitrary local files on the server.

The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the PunBB application's language handling mechanism. When users register through register.php, the language parameter they select gets stored in the database within the users table. During subsequent page loads, the system retrieves this stored language value and includes it directly in the common.php file without proper sanitization. This direct inclusion pattern creates an ideal environment for path traversal attacks where attackers can manipulate the language parameter to include files from unintended directories. The vulnerability is classified as CWE-22, which specifically addresses path traversal or directory traversal vulnerabilities that allow attackers to access files outside of the intended directory structure.

The operational impact of this vulnerability is severe and multifaceted. An authenticated attacker can leverage this flaw to execute arbitrary code on the target system by including and executing local files that should remain protected. This includes accessing sensitive configuration files, database credentials, or even system files that contain critical application data. The vulnerability essentially provides a backdoor mechanism for attackers to escalate privileges and gain deeper access to the server infrastructure. Additionally, since the vulnerability requires only authentication, it can be exploited by users who have legitimate access to the forum, making detection more difficult and potentially allowing for insider threats. The attack vector aligns with ATT&CK technique T1505.003, which covers the use of web shells and includes for code execution.

Mitigation strategies for CVE-2006-5735 focus on implementing proper input validation and sanitization measures. The most effective approach involves removing or escaping special characters from user-supplied language parameters before storing them in the database. The system should validate that language values conform to predefined acceptable patterns and reject any input containing directory traversal sequences. Additionally, implementing proper file inclusion practices such as using whitelisting mechanisms for language selection or employing secure include functions that prevent path traversal attacks. Organizations should also ensure that all PunBB installations are updated to version 1.2.14 or later where this vulnerability has been patched. The fix typically involves modifying the registration process to sanitize language parameters and ensuring that the include/common.php file does not directly include user-controllable variables without proper validation. Network monitoring should also be enhanced to detect unusual patterns of file access that might indicate exploitation attempts, particularly around the register.php endpoint and user table modifications.

Reservation

11/06/2006

Disclosure

11/06/2006

Moderation

accepted

Entry

VDB-33128

CPE

ready

Exploit

Download

EPSS

0.14511

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!