CVE-2006-2405

Name of the Vulnerable Software and Affected Versions Unclassified NewsBoard (UNB) versions 1.6.1 patch 1 and earlier

Description The issue allows remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing null byte (%00) in the ABBC[Config][smileset] parameter to "unb lib/abbc.css.php". This is possible when register globals is enabled.

Recommendations For Unclassified NewsBoard (UNB) versions 1.6.1 patch 1 and earlier, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the "unb lib/abbc.css.php" file and avoid using the ABBC[Config][smileset] parameter until a fix is available.