Mbrooks

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 and earlier **Description** The issue concerns a default administrator login account and password included in the installation of the software, allowing remote attackers to gain privileges. **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 and earlier, change the default administrator login account and password immediately after installation to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 and earlier **Description** The issue allows remote attackers to determine a suitable decryption key given the plaintext and ciphertext. This is achieved by obtaining the plaintext password, which is sent when logging in, and the ciphertext, which is set in the `pass env` cookie. **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 and earlier **Description** The issue allows remote attackers to gain access by modifying certain parameters in a cookie. These parameters, including `user env`, `pass env`, `power env`, and `id env`, can be exploited to create a persistent logon that remains unchanged across different sessions. **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 and earlier, consider restricting access to the parameters `user env`, `pass env`, `power env`, and `id env` in cookies to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 and earlier **Description** The issue allows remote attackers to create arbitrary accounts via the "[NR]" sequence in the `signature` field. This sequence is used to separate multiple records. **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 and earlier, as a temporary workaround, consider restricting access to the `register.php` file until a patch is available. Additionally, avoid using the "[NR]" sequence in the `signature` field to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 and earlier **Description** The issue allows remote attackers to overwrite arbitrary files via a .. (dot dot) sequence and trailing null (%00) byte in the `id` parameter. This can be demonstrated by injecting a Perl CGI script using "[NR]" sequences in the `message` parameter, then calling "close.php" with modified `id` and `t id` parameters to chmod the script. **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 and earlier, consider restricting access to the `newpost.php` file and the `close.php` file until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected API endpoint and restrict the use of the `message` parameter to prevent injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 and earlier **Description** The issue allows remote authenticated administrators to execute arbitrary PHP code via multiple unspecified configuration fields in admin chatconfig.php, admin configcss.php, admin config.php, or admin config2.php, which are stored as configuration settings. This can be exploited by remote attackers by leveraging other vulnerabilities in UPB. **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 and earlier, consider restricting access to the configuration fields in the affected files until a patch is available. As a temporary workaround, limit the privileges of administrators to minimize the risk of exploitation.