CVE-2006-4759 - PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remot

CVE-2006-4759

Summary

PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remote authenticated administrative users to upload arbitrary files and execute code, as demonstrated by a query to admin_options.php with an avatars_dir parameter ending in %00. NOTE: this issue was originally disputed by the vendor, but the dispute was withdrawn on 20060926. Successful exploitation requires that the attacker has Administrative rights.

References

Vulnerable Configurations

cpe:2.3:a:punbb:punbb:1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:punbb:punbb:1.2.12:*:*:*:*:*:*:*

CVSS

Base:	3.6 (as of 17-10-2018 - 21:39)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:S/C:N/I:P/A:P

refmap via4

bugtraq	20060911 ShAnKaR: multiple PHP application poison NULL byte vulnerability 20060919 Re: ShAnKaR: multiple PHP application poison NULL byte vulnerability
confirm	http://forums.punbb.org/viewtopic.php?id=13255
misc	http://www.security.nnov.ru/Odocument221.html
vim	20060919 Dispute - CVE-2006-4759 - PunBB 20060925 PunBB - more 20060926 PunBB - more
xf	phpbb-nullbyte-file-upload(28884)

statements via4

contributor	Rickard Andersson
lastmodified	2006-09-28
organization	PunBB
statement	PunBB 1.2.13 has been released to fix this vulnerability. The updated version is available at http://punbb.org/downloads.php.

Last major update

17-10-2018 - 21:39

Published

13-09-2006 - 23:07

Last modified

17-10-2018 - 21:39