PBLang Bulletin Board Multiple HTML Injection and XSS
Medium Nessus Network Monitor Plugin ID 2643
The remote host is vulnerable to multiple attack vectors.
The remote host is running PBLang, a bulletin board system written in PHP. This version of PBLang is vulnerable to a remote Cross-Site Scripting (XSS) flaw. In addition, this version of PBLang is vulnerable to an HTML injection flaw within the pmpshow.php script. An attacker exploiting these flaws would be need to be able to convince a user to click on a malicious URL. Upon successful exploitation, the attacker would be able to steal credentials or execute code within the browser. A third flaw, which does not require user interaction, has been discovered with this version of PBLang. Specifically, files outside of the web root may be displayed to remote users. This sort of attack is known as a 'directory-traversal' attack, and would allow an attacker to craft a remote query such that the returned data would contain potentially confidential data (/etc/passwd file, HTTPD configuration files, and more.)
Upgrade or patch according to vendor recommendations.