Ultrascripts ≫ Ultraboard

The default installation of Ultraboard 2000 2.11 creates the Skins, Database, and Backups directories with world-writeable permissions, which could allow local users to modify sensitive information or possibly insert and execute CGI programs.

UltraBoard 1.6 and other versions allow remote attackers to cause a denial of service by referencing UltraBoard in the Session parameter, which causes UltraBoard to fork copies of itself.

UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows remote attackers to read arbitrary files via a pathname string that includes a dot dot (..) and ends with a null byte.