Vulnerabilities > CVE-2006-2908 - Remote PHP Script Code Injection vulnerability in Mybulletinboard 1.1.2

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

mybulletinboard

exploit available

NVD

Published: 2006-06-13

Updated: 2018-10-18

Summary

The domecode function in inc/functions_post.php in MyBulletinBoard (MyBB) 1.1.2, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.

Vulnerable Configurations

Part	Description	Count
Application	Mybulletinboard Mybulletinboard Mybulletinboard 1.1.2	1

Exploit-Db

description	MyBulletinBoard (MyBB) < 1.1.3 Remote Code Execution Exploit. CVE-2006-2908. Webapps exploit for php platform
id	EDB-ID:1909
last seen	2016-01-31
modified	2006-06-13
published	2006-06-13
reporter	Javier Olascoaga
source	https://www.exploit-db.com/download/1909/
title	MyBulletinBoard MyBB < 1.1.3 - Remote Code Execution Exploit

Packetstorm

data source	https://packetstormsecurity.com/files/download/47417/mybibi_pl.txt
id	PACKETSTORM:47417
last seen	2016-12-05
published	2006-06-15
reporter	Javier Olascoaga
source	https://packetstormsecurity.com/files/47417/mybibi_pl.txt.html
title	mybibi_pl.txt

Summary

Vulnerable Configurations

Exploit-Db

Packetstorm

References