Intrusion Prevention

NuclearBB.Root.Path.Parameter.File.Inclusion

Description

NuclearBB Alpha has a remote file inclusion vulnerability. When "register_globals" is enabled a remote attacker can execute arbitrary script code on the web server, with the privileges of the server, via a specially crafted URL request to 'tasks/send_queued_emails.php' with the "root_path" parameter set to specify a malicious PHP file from a remote system.

Affected Products

NuclearBB Alpha 2

Impact

System Compromise: Remote attackers can gain control of vulnerable systems.

Recommended Actions

Currently we are not aware of any vendor supplied patch for this issue.

CVE References

CVE-2007-4906