UBB.threads doeditconfig Arbitrary Command Injection

high Nessus Plugin ID 22480

Synopsis

The remote web server contains a PHP script that allows injection of arbitrary PHP commands.

Description

The version of UBB.threads installed on the remote host fails to sanitize input to the 'thispath' and 'config' parameters of the 'admin/doeditconfig.php' script before using them to update the application's configuration file. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit this flaw to modify configuration settings for the affected application and even injecting arbitrary PHP code to be executed whenever the config file is loaded.

The version installed is reported to be vulnerable to additional issues, however, Nessus has not tested them.

Solution

Either disable PHP's 'register_globals' setting or upgrade to UBB.threads 6.5.5 or later.

See Also

http://www.nessus.org/u?5b90f99d

http://www.nessus.org/u?0666a806

http://www.nessus.org/u?324c0824

Plugin Details

Severity: High

ID: 22480

File Name: ubbthreads_doeditconfig_cmd_injection.nasl

Version: 1.24

Type: remote

Family: CGI abuses

Published: 9/30/2006

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Required KB Items: www/ubbthreads

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploited by Nessus: true

Vulnerability Publication Date: 9/30/2006

Reference Information

CVE: CVE-2006-5137

BID: 20266