Vulnerability & Exploit Database

Back to search

FreeBSD: phpbb -- NULL byte injection vulnerability (CVE-2006-4758)

Severity CVSS Published Added Modified
5 (AV:N/AC:H/Au:S/C:P/I:P/A:P) September 13, 2006 May 08, 2014 February 17, 2015

Description

phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php with an avatar_path parameter ending in .php%00.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution

freebsd-upgrade-package-phpbb