PT-2006-3366 · Unclassified Newsboard · Unclassified Newsboard

Rgod

Published

2006-05-16

Updated

2018-10-18

CVE-2006-2405

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Unclassified NewsBoard (UNB) versions 1.6.1 patch 1 and earlier

Description The issue allows remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing null byte (%00) in the ABBC[Config][smileset] parameter to "unb lib/abbc.css.php". This is possible when register globals is enabled.

Recommendations For Unclassified NewsBoard (UNB) versions 1.6.1 patch 1 and earlier, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the "unb lib/abbc.css.php" file and avoid using the ABBC[Config][smileset] parameter until a fix is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-2405

Affected Products

Unclassified Newsboard

PT-2006-3366 · Unclassified Newsboard · Unclassified Newsboard

CVE-2006-2405

Related Identifiers

Affected Products

References · 11