| VID |
21590 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of Ultimate PHP Board which is older than version 1.9.7 is detected as installed on the host. Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin Board for the Unix, Linux, and Windows operating systems. UPB versions prior to 1.9.7 are vulnerable to multiple input validation vulnerabilities in the viewforum.php script, which can be exploited by remote attackers to conduct cross-site scripting and SQL injection attacks:
1) A cross-site scripting vulnerability in the viewforum.php script can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
2) An SQL injection vulnerability in the viewforum.php script can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
* Note: This check solely relied on the version number of the Ultimate PHP Board installed on the remote web server to assess this vulnerability, so this might be a false positive.
* References:
http://securityfocus.com/archive/1/398127
* Platforms Affected:
MyUPB Ultimate PHP Board versions prior to 1.9.7
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Ultimate PHP Board (UPB) (1.9.7 or later), available from MyUPB Download Web site at http://www.myupb.com/ourscripts_upb.php |
| Related URL |
CVE-2005-1614,CVE-2005-1615 (CVE) |
| Related URL |
13621,13622 (SecurityFocus) |
| Related URL |
(ISS) |
|
