cbcvebase.
CVE-2006-2685
published 2006-05-31

CVE-2006-2685: PHP remote file inclusion vulnerability in Basic Analysis and Security Engine (BASE) 1.2.4 and earlier, with register_globals enabled, allows remote attackers…

PriorityP341medium4CVSS 2.0
AVNACHAuNCPIPAN
EXPLOIT
EPSS
49.19%
98.7th percentile
PHP remote file inclusion vulnerability in Basic Analysis and Security Engine (BASE) 1.2.4 and earlier, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the BASE_path parameter to (1) base_qry_common.php, (2) base_stat_common.php, and (3) includes/base_include.inc.php.

Affected

4 ranges
VendorProductVersion rangeFixed in
kevin_johnsonbasic_analysis_and_security_engine
kevin_johnsonbasic_analysis_and_security_engine
kevin_johnsonbasic_analysis_and_security_engine
kevin_johnsonbasic_analysis_and_security_engine

Detection & IOCsextracted from sources · hover to see the quote

path/base/base_qry_common.php?BASE_path=!URL!
filenamebase_qry_common.php
filenamebase_stat_common.php
filenameincludes/base_include.inc.php
  • Monitor HTTP requests targeting BASE PHP files with a remote URL supplied in the BASE_path parameter, indicating remote file inclusion exploitation attempt.
  • Look for GET requests to /base/base_qry_common.php (or /snort/base_qry_common.php) where BASE_path contains an http:// or https:// URL, which is the canonical exploit pattern for this RFI.
  • The Metasploit module hex-encodes the remote payload URL using Rex::Text.to_hex with '%' prefix before injecting it into BASE_path; detect percent-encoded URLs in the BASE_path query parameter as an evasion indicator.
  • The vulnerability requires register_globals to be enabled on the target PHP installation; correlate exploitation attempts with PHP environments where register_globals is on.
  • ·The vulnerability is only exploitable when PHP's register_globals directive is enabled; systems with register_globals disabled are not affected.
  • ·Affected versions are BASE 1.2.4 and earlier (codename 'melissa'); the Metasploit module targets this version range exclusively.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.