CVE-2006-4758 - phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated adm

CVE-2006-4758

Summary

phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php with an avatar_path parameter ending in .php%00. Successful exploitation requires that the attacker has Administrative rights.

References

Vulnerable Configurations

cpe:2.3:a:phpbb_group:phpbb:2.0.21:*:*:*:*:*:*:*
cpe:2.3:a:phpbb_group:phpbb:2.0.21:*:*:*:*:*:*:*

CVSS

Base:	4.6 (as of 17-10-2018 - 21:39)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:S/C:P/I:P/A:P

refmap via4

bid	20347 21806
bugtraq	20060911 ShAnKaR: multiple PHP application poison NULL byte vulnerability
confirm	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388120
debian	DSA-1488
misc	http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=489624 http://www.security.nnov.ru/Odocument221.html
secunia	22188 28871
xf	phpbb-nullbyte-file-upload(28884)

Last major update

17-10-2018 - 21:39

Published

13-09-2006 - 23:07

Last modified

17-10-2018 - 21:39