Summary
| Detail | |||
|---|---|---|---|
| Vendor | Zeroboard | First view | 2002-12-31 |
| Product | Zeroboard | Last view | 2006-03-14 |
| Version | 4.1_pl2 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:zeroboard:zeroboard | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 4.3 | 2006-03-14 | CVE-2006-1222 | Multiple cross-site scripting (XSS) vulnerabilities in zeroboard 4.1 pl7 allows allow remote attackers to inject arbitrary web script or HTML via the (1) memo box title, (2) user email, and (3) homepage fields. |
| 7.5 | 2005-06-01 | CVE-2005-1820 | zboard.php in Zeroboard version 4.1pl2 to 4.1pl5 allows remote attackers to execute arbitrary PHP code via improper quoting when using the preg_replace function. |
| 7.5 | 2005-05-02 | CVE-2005-0380 | Multiple PHP remote file inclusion vulnerabilities in (1) print_category.php, (2) login.php, (3) setup.php, (4) ask_password.php, or (5) error.php in ZeroBoard 4.1pl5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the dir parameter to reference a URL on a remote web server that contains the code. |
| 5 | 2005-05-02 | CVE-2005-0379 | Multiple directory traversal vulnerabilities in ZeroBoard 4.1pl5 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the _zb_path parameter to (1) _head.php or (2) outlogin.php, or the dir parameter to (3) write.php. |
| 4.3 | 2005-02-19 | CVE-2005-0495 | Cross-site scripting (XSS) vulnerability in ZeroBoard allows remote attackers to inject arbitrary web script or HTML via the (1) sn1, (2) year, or (3) page parameter to zboard.php or (4) filename to view_image.php. |
| 4.3 | 2004-12-31 | CVE-2004-2738 | Cross-site scripting (XSS) vulnerability in check_user_id.php in ZeroBoard 4.1pl4 and earlier allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. |
| 6.8 | 2004-12-31 | CVE-2004-1419 | PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) _zb_path parameter to outlogin.php or (2) dir parameter to write.php to reference a URL on a remote web server that contains the code. |
| 5 | 2002-12-31 | CVE-2002-1704 | Zeroboard 4.1, when the "allow_url_fopen" and "register_globals" variables are enabled, allows remote attackers to execute arbitrary PHP code by modifying the _zb_path parameter to reference a URL on a remote web server that contains the code. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 50% (1) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
| 50% (1) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
CAPEC : Common Attack Pattern Enumeration & Classification
| id | Name |
|---|---|
| CAPEC-6 | Argument Injection |
| CAPEC-15 | Command Delimiters |
| CAPEC-79 | Using Slashes in Alternate Encoding |
| CAPEC-193 | PHP Remote File Inclusion |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 23847 | Zeroboard Session IP Security Bypass XSS |
| 21563 | ZeroBoard _zb_path Parameter Remote File Inclusion |
| 16996 | ZeroBoard zboard.php preg_replace() Arbitrary Code Execution |
| 14018 | ZeroBoard view_image.php filename Parameter XSS |
| 14017 | ZeroBoard zboard.php Multiple Parameter XSS |
| 12932 | ZeroBoard error.php dir Parameter Remote File Inclusion |
| 12931 | ZeroBoard ask_password.php dir Parameter Remote File Inclusion |
| 12930 | ZeroBoard setup.php dir Parameter Remote File Inclusion |
| 12929 | ZeroBoard login.php dir Parameter Remote File Inclusion |
| 12928 | ZeroBoard print_category.php dir Parameter Remote File Inclusion |
| 12927 | ZeroBoard outlogin.php Traversal Arbitrary File Access |
| 12926 | ZeroBoard write.php Traversal Arbitrary File Access |
| 12925 | ZeroBoard _head.php Traversal Arbitrary File Access |
| 12582 | ZeroBoard check_user_id.php user_id Parameter XSS |
| 12581 | ZeroBoard write.php Arbitrary Command Execution |
| 12580 | ZeroBoard outlogin.php Arbitrary Command Execution |
OpenVAS Exploits
| id | Description |
|---|---|
| 2005-11-03 | Name : Zeroboard flaws File : nvt/zeroboard_flaws.nasl |
| 2005-11-03 | Name : Zeroboard flaws (2) File : nvt/zeroboard_flaws2.nasl |
| 2005-11-03 | Name : Zeroboard XSS File : nvt/zeroboard_xss.nasl |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2005-02-23 | Name: The remote web server contains several PHP scripts that are prone to cross-si... File: zeroboard_xss.nasl - Type: ACT_ATTACK |
| 2005-01-17 | Name: The remote web server contains several PHP scripts that are prone to arbitrar... File: zeroboard_flaws2.nasl - Type: ACT_GATHER_INFO |
| 2004-12-28 | Name: The remote web server contains several PHP scripts that are prone to arbitrar... File: zeroboard_flaws.nasl - Type: ACT_ATTACK |
