| VID |
21680 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Ultimate PHP Board, according to its version number, has a weak password encryption vulnerability. Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin Board for the Unix, Linux, and Windows operating systems. Ultimate PHP Board version 1.9.6 and earlier versions may store the users.dat file under the web document root with insufficient access control. Due to a failure of the application to protect passwords with a sufficiently effective encryption scheme, it can allow a remote attacker to gain access to user and administrator passwords for the affected application.
* Note: This check solely relied on the version number of Ultimate PHP Board on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://securityfocus.com/archive/1/402506
http://securityfocus.com/archive/1/402461
http://www.osvdb.org/displayvuln.php?osvdb_id=17374
* Platforms Affected:
X-Crew, Ultimate PHP Board version 1.9.6 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of August 2005.
Upgrade to the latest version of Ultimate PHP Board (UPB), when new fixed version becomes available from the MyUPB Download Web site at http://www.myupb.com/ourscripts_upb.php |
| Related URL |
CVE-2005-2005,CVE-2005-2030 (CVE) |
| Related URL |
13975 (SecurityFocus) |
| Related URL |
21045 (ISS) |
|
