CVE-2006-3207 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in newpost.php in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) sequence and trailing null (%00) byte in the id parameter, as demonstrated by injecting a Perl CGI script using "[NR]" sequences in the message parameter, then calling close.php with modified id and t_id parameters to chmod the script. NOTE: this issue might be resultant from dynamic variable evaluation.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ultimate Php Board	Ultimate Php Board

Configuration 1 [-]

OR	cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.8:::::::*
	cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.8.2:::::::*
	cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.9:::::::*
	cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.9.6:::::::*

No data.

References

Link	Providers
http://securityreason.com/securityalert/1138
http://www.securityfocus.com/archive/1/437875/100/0/threaded

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-06-24T01:00:00

Updated: 2024-08-07T18:23:20.116Z

Reserved: 2006-06-23T00:00:00

Link: CVE-2006-3207

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-06-24T01:06:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2006-3207

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-06-20T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in newpost.php in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) sequence and trailing null (%00) byte in the id parameter, as demonstrated by injecting a Perl CGI script using \"[NR]\" sequences in the message parameter, then calling close.php with modified id and t_id parameters to chmod the script. NOTE: this issue might be resultant from dynamic variable evaluation."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-18T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1138", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/1138"}, {"name": "20060620 ULtimate PHP Board <= 1.96 GOLD Code Execution (exploit code)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/437875/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-3207", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in newpost.php in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) sequence and trailing null (%00) byte in the id parameter, as demonstrated by injecting a Perl CGI script using \"[NR]\" sequences in the message parameter, then calling close.php with modified id and t_id parameters to chmod the script. NOTE: this issue might be resultant from dynamic variable evaluation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1138", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/1138"}, {"name": "20060620 ULtimate PHP Board <= 1.96 GOLD Code Execution (exploit code)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/437875/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T18:23:20.116Z"}, "title": "CVE Program Container", "references": [{"name": "1138", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/1138"}, {"name": "20060620 ULtimate PHP Board <= 1.96 GOLD Code Execution (exploit code)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/437875/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-3207", "datePublished": "2006-06-24T01:00:00", "dateReserved": "2006-06-23T00:00:00", "dateUpdated": "2024-08-07T18:23:20.116Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.8:*:*:*:*:*:*:*", "matchCriteriaId": "8EC70A25-AB74-4088-BB10-3B7748E70EA0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "53E41185-4834-4D85-AF2D-7F10AA98481D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.9:*:*:*:*:*:*:*", "matchCriteriaId": "76565865-21E3-4007-8624-48FDC000EBF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "7869B748-3898-44CA-BA28-B81491241043", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in newpost.php in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) sequence and trailing null (%00) byte in the id parameter, as demonstrated by injecting a Perl CGI script using \"[NR]\" sequences in the message parameter, then calling close.php with modified id and t_id parameters to chmod the script. NOTE: this issue might be resultant from dynamic variable evaluation."}, {"lang": "es", "value": ""}], "id": "CVE-2006-3207", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-06-24T01:06:00.000", "references": [{"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/1138"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/437875/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/1138"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/437875/100/0/threaded"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}