| VID |
21440 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The ZeroBoard software are vulnerable to Remote PHP File Include vulnerabilities.
ZeroBoard is a freely available, open source PHP-based bulletin board software, and widely used in Korea. ZeroBoard version 4.1pl4 and earlier are vulnerable to multiple PHP source injection and cross-site scripting vulnerabilities as follows:
1. A Remote PHP File Include Vulnerability in the outlogin.php could allow a remote attacker to execute arbitrary external PHP code.
2. A Remote PHP File Include Vulnerability in the write.php could allow a remote attacker to execute arbitrary external PHP code.
3. The check_user_id.php doesn't validate the input value of user_id, allowing an attacker to cause a cross-site scripting attack.
These vulnerabilities could cause a remote attacker to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.
* References:
http://www.securiteam.com/unixfocus/6Z00N20C0Y.html
http://www.securityfocus.com/archive/1/385450
* Platforms Affected:
ZeroBoard version 4.1pl4 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of ZeroBoard (4.1pl5 or later), available from the ZeroBoard Web Site at http://www.nzeo.com/ |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
