A vulnerability was found in OpenPinboard 2.0 (Forum Software) and classified as critical. Affected by this issue is some unknown functionality of the file index.php. The manipulation with an unknown input leads to a file inclusion vulnerability. Using CWE to declare the problem leads to CWE-73. The product allows user input to control or influence paths or file names that are used in filesystem operations. Impacted is confidentiality, integrity, and availability. CVE summarizes:

** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter. NOTE: this issue has been disputed by the developer and a third party, since the variable is set before use. CVE analysis suggests that there is a small time window of risk before the installation is complete.

The weakness was disclosed 01/04/2007 as not defined posting (Bugtraq). The advisory is shared for download at securityfocus.com. This vulnerability is handled as CVE-2007-0050 since 01/03/2007. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available.

The real existence of this vulnerability is still doubted at the moment. By approaching the search of inurl:index.php it is possible to find vulnerable targets with Google Hacking.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at OSVDB (33375†). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Forum Software

Name

• OpenPinboard

Version

• 2.0

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion