A vulnerability was found in Zeroboard 4.1 Pl2 (Forum Software). It has been classified as critical. This affects some unknown processing. The manipulation of the argument _zb_path with an unknown input leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on integrity. The summary by CVE is:

Zeroboard 4.1, when the "allow_url_fopen" and "register_globals" variables are enabled, allows remote attackers to execute arbitrary PHP code by modifying the _zb_path parameter to reference a URL on a remote web server that contains the code.

The weakness was disclosed 12/31/2002 (Website). It is possible to read the advisory at online.securityfocus.com. This vulnerability is uniquely identified as CVE-2002-1704 since 06/21/2005. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at X-Force (9366). The entries VDB-24438, VDB-25412, VDB-29192 and VDB-30865 are pretty similar.

Productinfo

Type

• Forum Software

Name

• Zeroboard

Version

• 4.1 Pl2

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion