[VIM] Unclassified NewsBoard directory traversal variant

Steven M. Christey coley at mitre.org
Wed May 17 03:12:17 EDT 2006


FYI.

======================================================
Name: CVE-2006-2406
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2406
Acknowledged: yes followup
Announced: 20060511
Flaw: dot
Reference: CONFIRM:http://newsboard.unclassified.de/forum/post/6499

Directory traversal vulnerability in bb_lib/abbc.css.php in
Unclassified NewsBoard (UNB) 1.5.3-d and possibly earlier versions,
when register_globals is enabled, allows remote attackers to include
arbitrary files via .. (dot dot) sequences and a trailing null byte
(%00) in the design_path parameter.  NOTE: this is closely related,
but a different vulnerability than the ABBC[Config][smileset]
parameter.


Analysis:
ACCURACY: This is based on the post of rgod in the vendor confirmation
"hi, rgod here, 1.5 branch is also vulnerable, check for design_path
var in bb_lib/abbc.css.php, same issue" - assuming that by "same
issue" the researcher means dot. No further investigation was
performed. ACKNOWLEDGEMENT: "Okay, for version 1.5.3-d (and possibly
previous) I suggest the following patch, for bb_lib/abbc.css.php,
around line 13". This issue will not be patched by the vendor.




More information about the VIM mailing list