Ultimate PHP Board (UPB) Script Code Injection Vulnerability

vendor:

Ultimate PHP Board

by:

SecurityFocus

7.5

CVSS

HIGH

Script Code Injection

CWE

Product Name: Ultimate PHP Board

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix, Linux, Microsoft Windows

2002

Ultimate PHP Board (UPB) Script Code Injection Vulnerability

Ultimate PHP Board (UPB) is web forum software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems. Ultimate PHP Board does not filter script code from image tags. This may allow an attacker to include script code in forum messages. Injected script code will be executed in the browser of an arbitrary web user who views the malicious forum message, in the context of the website running UPB. It may be possible to inject script code into other UPB-Code formatting tags, though this has not been confirmed.

Mitigation:

Filter script code from image tags.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4603/info

Ultimate PHP Board (UPB) is web forum software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Ultimate PHP Board does not filter script code from image tags. This may allow an attacker to include script code in forum messages. Injected script code will be executed in the browser of an arbitrary web user who views the malicious forum message, in the context of the website running UPB.

It may be possible to inject script code into other UPB-Code formatting tags, though this has not been confirmed. 

[ img]javascript:window.open(' index.php?upb=pm&mode=send&send=yes&target_id=SONPROPREID&betreff=cookie&pm=' +document.cookie+ ' &smilies=1&use_upbcode=1&pmbox_id=IDDELAVICTIME&check=yes ')[/img ]