Vulnerabilities > CVE-2005-1614 - Cross-Site Scripting vulnerability in Ultimate PHP Board

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
ultimate-php-board
nessus
exploit available
NVD
Published: 2005-05-16
Updated: 2016-10-18

Summary

Cross-site scripting (XSS) vulnerability in viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 allows remote attackers to inject arbitrary web script or HTML via the postorder parameter.

Vulnerable Configurations

Part Description Count
Application
Ultimate_Php_Board
4

Exploit-Db

descriptionUltimate PHP Board 1.8/1.9 ViewForum.PHP Cross-Site Scripting Vulnerability. CVE-2005-1614. Webapps exploit for php platform
idEDB-ID:25654
last seen2016-02-03
modified2005-05-13
published2005-05-13
reporterMorinex Eneco
sourcehttps://www.exploit-db.com/download/25654/
titleUltimate PHP Board 1.8/1.9 ViewForum.PHP Cross-Site Scripting Vulnerability

Nessus

NASL familyCGI abuses
NASL idUPD_XSS_SQL_INJECTION.NASL
descriptionThe remote host is running Ultimate PHP Board (UPB). The remote version of this software is vulnerable to cross-site scripting attacks, and SQL injection flaws. Using a specially crafted URL, an attacker may execute arbitrary commands against the remote SQL database or use the remote server to set up a cross-site scripting attack.
last seen2020-06-01
modified2020-06-02
plugin id18260
published2005-05-14
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18260
titleUltimate PHP Board < 1.9.7 viewforum.php Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18260);
 script_version("1.20");

 script_cve_id("CVE-2005-1614", "CVE-2005-1615", "CVE-2005-1616");
 script_bugtraq_id(13621, 13622);
 
 script_name(english:"Ultimate PHP Board < 1.9.7 viewforum.php Multiple Vulnerabilities");

  script_set_attribute(
    attribute:"synopsis",
    value:"A web application on the remote host has multiple vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host is running Ultimate PHP Board (UPB).  The remote
version of this software is vulnerable to cross-site scripting
attacks, and SQL injection flaws.

Using a specially crafted URL, an attacker may execute arbitrary
commands against the remote SQL database or use the remote server to
set up a cross-site scripting attack."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/bugtraq/2005/May/164"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to UPB 1.9.7 or later."
  );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/13");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();
 
 script_summary(english:"Checks for UPB");
 
 script_category(ACT_GATHER_INFO);
  
 script_copyright(english:"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

# The script code starts here

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);


foreach d ( cgi_dirs() )
{
 req = http_get(item:string(d, "/index.php"), port:port);
 res = http_keepalive_send_recv(port:port, data:req);
 if( res == NULL ) exit(0);
 if(egrep(pattern:"Powered by UPB Version :.* (0\.|1\.([0-8][^0-9]|9[^0-9]|9\.[1-6][^0-9]))", string:res))
 {
 	security_hole(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
	exit(0);
 }
}

References