Ultimate PHP Board Username Parameter Remote Code Execution Vulnerability

Bugtraq ID:	21760
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 26 2006 12:00AM
Updated:	Jan 02 2007 10:51PM
Credit:	nuffsaid is credited with discovering this vulnerability.
Vulnerable:	Ultimate PHP Board Ultimate PHP Board 2.0 Ultimate PHP Board Ultimate PHP Board 1.9.6 Ultimate PHP Board Ultimate PHP Board 1.9 Ultimate PHP Board Ultimate PHP Board 1.8.2 Ultimate PHP Board Ultimate PHP Board 1.8 Ultimate PHP Board Ultimate PHP Board 1.0 b Ultimate PHP Board Ultimate PHP Board 1.0 final beta Ultimate PHP Board Ultimate PHP Board 1.0 Ultimate PHP Board Ultimate PHP Board 2.0.b1
Not Vulnerable:

Ultimate PHP Board Username Parameter Remote Code Execution Vulnerability

Ultimate PHP Board is prone to an arbitrary remote code-execution vulnerability because the application fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary PHP code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.

Ultimate PHP Board 2.01b and prior versions are vulnerable.

Ultimate PHP Board Username Parameter Remote Code Execution Vulnerability

Attackers may exploit this issue through a web browser.

The following exploit code is available:

• /data/vulnerabilities/exploits/21760.pl

Ultimate PHP Board Username Parameter Remote Code Execution Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].

Ultimate PHP Board Username Parameter Remote Code Execution Vulnerability

References:

• Ultimate PHP Board Homepage (Ultimate PHP Board)