PT-2006-3830 · Deluxebb · Deluxebb

Andreas Sandblad

Published

2006-06-23

Updated

2018-10-18

CVE-2006-2914

CVSS v2.0

5.1

Medium

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions DeluxeBB version 1.06

Description The issue allows remote attackers to execute arbitrary code via a URL in the templatefolder parameter to various PHP files, including 'postreply.php', 'posting.php', and 'pm/newpm.php' in both the 'deluxe/' and 'default/' directories.

Recommendations For DeluxeBB version 1.06, as a temporary workaround, consider restricting access to the templatefolder parameter in the affected PHP files until a patch is available. Avoid using the templatefolder parameter in the affected API endpoints, such as 'postreply.php', 'posting.php', and 'pm/newpm.php', until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-2914

Affected Products

Deluxebb

PT-2006-3830 · Deluxebb · Deluxebb

CVE-2006-2914

Related Identifiers

Affected Products

References · 18