CVE-2006-4758

Publication date 13 September 2006

Last updated 24 July 2024


Ubuntu priority

phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_board.php with an avatar_path parameter ending in .php%00.

Status

No maintained releases are affected by this CVE.

Package Ubuntu Release Status
phpbb2 9.10 karmic Not in release
9.04 jaunty Not in release
8.10 intrepid
Fixed 2.0.21-6
8.04 LTS hardy
Fixed 2.0.21-6
7.10 gutsy
Fixed 2.0.21-6
7.04 feisty
Fixed 2.0.21-6
6.10 edgy Ignored end of life, was needed
6.06 LTS dapper Ignored end of life

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
phpbb2