UBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'viewmessage.php' script not properly sanitizing user-supplied input to the 'message' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

Upgrade to version 6.5.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1014285
• Bugtraq ID: 14052
• Secunia Advisory ID: 15805
• Related OSVDB ID: 17512 17517 17518 17521 17525 17526 17527 17528 17530 17531 17532 17533 17534
• CVE ID: 2005-2058 (see also: NVD)
• ISS X-Force ID: 21124
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0213.html
  http://archives.neohapsis.com/archives/bugtraq/2009-03/0159.html
• Other Advisory URL: http://www.cyberlords.net/advisories/cl_ubb.txt
  http://www.gulftech.org/?node=research&article_id=00084-06232005
• Vendor Specific Solution URL: http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351
• Vendor URL: http://www.ubbcentral.com/ubbthreads/

• James Bercegay - securitygulftech.org - GulfTech Security Research