UBB.threads contains a flaw that allows a remote HTTP response splitting attack. This flaw exists because the application does not validate the 'Cat' variable upon submission to the 'toggleshow.php' script. This could allow an attacker to create a specially crafted URL that would present a fake web page to a user, steal session cookies, or execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Upgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1014285
• Bugtraq ID: 14053
• Secunia Advisory ID: 15805
• Related OSVDB ID: 17512 17517 17519 17520 17521 17525
• CVE ID: 2005-2060 (see also: NVD)
• ISS X-Force ID: 21127
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html
• Generic Informational URL: http://en.wikipedia.org/wiki/HTTP_response_splitting
• Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00084-06232005
  http://www.uscert.gov/cas/bulletins/SB05-180.pdf
• Vendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351
• Vendor URL: http://www.ubbcentral.com/ubbthreads/

• James Bercegay - securitygulftech.org - GulfTech Security Research