Ultimate PHP Board Data Disclosure
OWASP 2013-A6 OWASP 2017-A3 OWASP 2021-A2 OWASP PC-C8 CAPEC-37 CWE-200 WASC-13 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ultimate PHP Board (UPB) is a complete text-based messageboard. This works without the use of MySQL. The features of UPB are:-
- No SQL database
- With complete administration panel
- Topic bookmarking and watching
- Easy to use
There are many servers having the vulnerable version of Ultimate PHP Board (UPB) that stores users data file under the web root with insufficient access control. This will allows remote attackers to obtain usernames and passwords.
The impact include:-
- The attacker might get the access to the content.
- Possible loss of sensitive information.
- Possible manipulation of the web application.
- Cross-site scripting attacks (XSS)
Mitigation / Precaution
This vulnerability can be fixed by:-
- Implementing proper input validation methods.