CVE-2006-3208

Direct static code injection vulnerability in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote authenticated administrators to execute arbitrary PHP code via multiple unspecified "configuration fields" in (1) admin_chatconfig.php, (2) admin_configcss.php, (3) admin_config.php, or (4) admin_config2.php, which are stored as configuration settings. NOTE: this issue can be exploited by remote attackers by leveraging other vulnerabilities in UPB.

Published: Jun 24, 2006
Updated: Apr 13, 2023
CVE: CVE-2006-3208
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
ultimate_php_board / ultimate_php_board	1.9.6	1.9.6.x
ultimate_php_board / ultimate_php_board	1.8	1.8.x
ultimate_php_board / ultimate_php_board	1.8.2	1.8.2.x
ultimate_php_board / ultimate_php_board	1.9	1.9.x

http://securityreason.com/securityalert/1138
http://www.kliconsulting.com/users/mbrooks/UPB_0-day.txt
http://www.securityfocus.com/archive/1/437875/100/0/threaded

Vulnerability Database

289,697

CVE-2006-3208